c736c862922d63df07511680c6bf1d9986ac7477c00e8b2da72033662068493a

Analysis

max time kernel
285s
max time network
273s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 01:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Seven.exe
Size

139KB
MD5

6503f847c3281ff85b304fc674b62580
SHA1

947536e0741c085f37557b7328b067ef97cb1a61
SHA256

afd7657f941024ef69ca34d1e61e640c5523b19b0fad4dcb1c9f1b01a6fa166f
SHA512

abc3b32a1cd7d0a60dd7354a9fcdff0bc37ec8a20bb2a8258353716d820f62d343c6ba9385ba893be0cca981bbb9ab4e189ccfeee6dd77cc0dc723e975532174
SSDEEP

3072:miS4omp03WQthI/9S3BZi08iRQ1G78IVn27bSfcJd8lto:miS4ompB9S3BZi0a1G78IVhcTct

Score

10^/10

evasion spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

Seven.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Seven.exe

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

Seven.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua = "1"	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "1"	Seven.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

Seven.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Seven.exe

Disables Task Manager via registry modification
evasion

Disables cmd.exe use via registry modification 1 IoCs

evasion

Processes:

Seven.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Seven.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Seven.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation Seven.exe
Deletes itself 1 IoCs

Processes:

SevenCopy.exe

pid process

216 SevenCopy.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	Seven.exe

Executes dropped EXE 64 IoCs

Processes:

SevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exe

pid	process
216	SevenCopy.exe
14568	SevenCopy.exe
17908	SevenCopy.exe
18156	SevenCopy.exe
3088	SevenCopy.exe
10048	SevenCopy.exe
9044	SevenCopy.exe
7536	SevenCopy.exe
7388	SevenCopy.exe
12924	SevenCopy.exe
5940	SevenCopy.exe
5308	SevenCopy.exe
13352	SevenCopy.exe
6364	SevenCopy.exe
6304	SevenCopy.exe
5652	SevenCopy.exe
6932	SevenCopy.exe
6176	SevenCopy.exe
5640	SevenCopy.exe
6180	SevenCopy.exe
6792	SevenCopy.exe
6340	SevenCopy.exe
14524	SevenCopy.exe
944	SevenCopy.exe
5848	SevenCopy.exe
14564	SevenCopy.exe
6700	SevenCopy.exe
9748	SevenCopy.exe
15484	SevenCopy.exe
7568	SevenCopy.exe
10344	SevenCopy.exe
14544	SevenCopy.exe
4124	SevenCopy.exe
14428	SevenCopy.exe
15488	SevenCopy.exe
13140	SevenCopy.exe
9168	SevenCopy.exe
8176	SevenCopy.exe
8932	SevenCopy.exe
7672	SevenCopy.exe
9476	SevenCopy.exe
10844	SevenCopy.exe
14504	SevenCopy.exe
1584	SevenCopy.exe
7432	SevenCopy.exe
7180	SevenCopy.exe
10736	SevenCopy.exe
8512	SevenCopy.exe
16060	SevenCopy.exe
11592	SevenCopy.exe
9296	SevenCopy.exe
8412	SevenCopy.exe
15412	SevenCopy.exe
12504	SevenCopy.exe
2348	SevenCopy.exe
8960	SevenCopy.exe
8156	SevenCopy.exe
10108	SevenCopy.exe
15896	SevenCopy.exe
9876	SevenCopy.exe
10416	SevenCopy.exe
7192	SevenCopy.exe
9496	SevenCopy.exe
8424	SevenCopy.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

Seven.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" Seven.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	Seven.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Seven.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua = "1"	Seven.exe

Drops desktop.ini file(s) 7 IoCs

Processes:

SevenCopy.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	SevenCopy.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	SevenCopy.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	SevenCopy.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	SevenCopy.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	SevenCopy.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	SevenCopy.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	SevenCopy.exe

Drops file in System32 directory 64 IoCs

Processes:

description	ioc	process
File created	C:\Windows\system32\KeyAndIV.txt	SevenCopy.exe
File created	C:\Windows\system32\KeyAndIV.txt	SevenCopy.exe
File created	C:\Windows\system32\KeyAndIV.txt
File created	C:\Windows\system32\EncryptedLog.txt
File created	C:\Windows\system32\KeyAndIV.txt	SevenCopy.exe
File created	C:\Windows\system32\KeyAndIV.txt	SevenCopy.exe
File created	C:\Windows\system32\KeyAndIV.txt
File created	C:\Windows\system32\EncryptedLog.txt	SevenCopy.exe
File created	C:\Windows\system32\EncryptedLog.txt
File created	C:\Windows\system32\KeyAndIV.txt
File created	C:\Windows\system32\KeyAndIV.txt	SevenCopy.exe
File created	C:\Windows\system32\KeyAndIV.txt
File created	C:\Windows\system32\EncryptedLog.txt
File created	C:\Windows\system32\EncryptedLog.txt
File created	C:\Windows\system32\KeyAndIV.txt
File created	C:\Windows\system32\KeyAndIV.txt
File created	C:\Windows\system32\EncryptedLog.txt
File created	C:\Windows\system32\KeyAndIV.txt
File created	C:\Windows\system32\EncryptedLog.txt
File created	C:\Windows\system32\EncryptedLog.txt	SevenCopy.exe
File created	C:\Windows\system32\KeyAndIV.txt
File created	C:\Windows\system32\EncryptedLog.txt
File created	C:\Windows\system32\KeyAndIV.txt
File created	C:\Windows\system32\EncryptedLog.txt
File created	C:\Windows\system32\EncryptedLog.txt	SevenCopy.exe
File created	C:\Windows\system32\KeyAndIV.txt
File created	C:\Windows\system32\EncryptedLog.txt
File created	C:\Windows\system32\EncryptedLog.txt
File created	C:\Windows\system32\EncryptedLog.txt
File created	C:\Windows\system32\EncryptedLog.txt	SevenCopy.exe
File created	C:\Windows\system32\EncryptedLog.txt	SevenCopy.exe
File created	C:\Windows\system32\EncryptedLog.txt	SevenCopy.exe
File created	C:\Windows\system32\EncryptedLog.txt
File created	C:\Windows\system32\KeyAndIV.txt	SevenCopy.exe
File created	C:\Windows\system32\KeyAndIV.txt	SevenCopy.exe
File created	C:\Windows\system32\KeyAndIV.txt
File created	C:\Windows\system32\EncryptedLog.txt
File created	C:\Windows\system32\EncryptedLog.txt
File created	C:\Windows\system32\KeyAndIV.txt
File created	C:\Windows\system32\KeyAndIV.txt
File created	C:\Windows\system32\KeyAndIV.txt
File created	C:\Windows\system32\EncryptedLog.txt
File created	C:\Windows\system32\KeyAndIV.txt
File created	C:\Windows\system32\KeyAndIV.txt
File created	C:\Windows\system32\KeyAndIV.txt
File created	C:\Windows\system32\EncryptedLog.txt
File created	C:\Windows\system32\EncryptedLog.txt
File created	C:\Windows\system32\EncryptedLog.txt
File created	C:\Windows\system32\KeyAndIV.txt
File created	C:\Windows\system32\EncryptedLog.txt
File created	C:\Windows\system32\EncryptedLog.txt
File created	C:\Windows\system32\KeyAndIV.txt
File created	C:\Windows\system32\KeyAndIV.txt
File created	C:\Windows\system32\KeyAndIV.txt	SevenCopy.exe
File created	C:\Windows\system32\EncryptedLog.txt	SevenCopy.exe
File created	C:\Windows\system32\EncryptedLog.txt
File created	C:\Windows\system32\KeyAndIV.txt
File created	C:\Windows\system32\KeyAndIV.txt	SevenCopy.exe
File created	C:\Windows\system32\EncryptedLog.txt
File created	C:\Windows\system32\EncryptedLog.txt
File created	C:\Windows\system32\EncryptedLog.txt
File created	C:\Windows\system32\KeyAndIV.txt
File created	C:\Windows\system32\EncryptedLog.txt
File created	C:\Windows\system32\KeyAndIV.txt

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

pid process

14400
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

2916 powershell.exe
2916 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2916 powershell.exe

pid	process
14400

pid	process
2916	powershell.exe
2916	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2916	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Seven.execmd.execmd.execmd.exeSevenCopy.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4868 wrote to memory of 2916	4868	Seven.exe	powershell.exe
PID 4868 wrote to memory of 2916	4868	Seven.exe	powershell.exe
PID 4868 wrote to memory of 2080	4868	Seven.exe	cmd.exe
PID 4868 wrote to memory of 2080	4868	Seven.exe	cmd.exe
PID 4868 wrote to memory of 776	4868	Seven.exe	cmd.exe
PID 4868 wrote to memory of 776	4868	Seven.exe	cmd.exe
PID 4868 wrote to memory of 2696	4868	Seven.exe	cmd.exe
PID 4868 wrote to memory of 2696	4868	Seven.exe	cmd.exe
PID 4868 wrote to memory of 3456	4868	Seven.exe	cmd.exe
PID 4868 wrote to memory of 3456	4868	Seven.exe	cmd.exe
PID 4868 wrote to memory of 2748	4868	Seven.exe	cmd.exe
PID 4868 wrote to memory of 2748	4868	Seven.exe	cmd.exe
PID 4868 wrote to memory of 4120	4868	Seven.exe	cmd.exe
PID 4868 wrote to memory of 4120	4868	Seven.exe	cmd.exe
PID 4868 wrote to memory of 3104	4868	Seven.exe	cmd.exe
PID 4868 wrote to memory of 3104	4868	Seven.exe	cmd.exe
PID 3104 wrote to memory of 4224	3104	cmd.exe	attrib.exe
PID 3104 wrote to memory of 4224	3104	cmd.exe	attrib.exe
PID 4120 wrote to memory of 3384	4120	cmd.exe	cmd.exe
PID 4120 wrote to memory of 3384	4120	cmd.exe	cmd.exe
PID 2696 wrote to memory of 4292	2696	cmd.exe	cmd.exe
PID 2696 wrote to memory of 4292	2696	cmd.exe	cmd.exe
PID 4868 wrote to memory of 216	4868	Seven.exe	SevenCopy.exe
PID 4868 wrote to memory of 216	4868	Seven.exe	SevenCopy.exe
PID 216 wrote to memory of 3140	216	SevenCopy.exe	cmd.exe
PID 216 wrote to memory of 3140	216	SevenCopy.exe	cmd.exe
PID 216 wrote to memory of 984	216	SevenCopy.exe	cmd.exe
PID 216 wrote to memory of 984	216	SevenCopy.exe	cmd.exe
PID 216 wrote to memory of 1084	216	SevenCopy.exe	cmd.exe
PID 216 wrote to memory of 1084	216	SevenCopy.exe	cmd.exe
PID 216 wrote to memory of 1588	216	SevenCopy.exe	cmd.exe
PID 216 wrote to memory of 1588	216	SevenCopy.exe	cmd.exe
PID 216 wrote to memory of 2560	216	SevenCopy.exe	cmd.exe
PID 216 wrote to memory of 2560	216	SevenCopy.exe	cmd.exe
PID 216 wrote to memory of 3964	216	SevenCopy.exe	cmd.exe
PID 216 wrote to memory of 3964	216	SevenCopy.exe	cmd.exe
PID 3140 wrote to memory of 1896	3140	cmd.exe	choice.exe
PID 3140 wrote to memory of 1896	3140	cmd.exe	choice.exe
PID 216 wrote to memory of 436	216	SevenCopy.exe	cmd.exe
PID 216 wrote to memory of 436	216	SevenCopy.exe	cmd.exe
PID 216 wrote to memory of 5100	216	SevenCopy.exe	cmd.exe
PID 216 wrote to memory of 5100	216	SevenCopy.exe	cmd.exe
PID 216 wrote to memory of 3620	216	SevenCopy.exe	cmd.exe
PID 216 wrote to memory of 3620	216	SevenCopy.exe	cmd.exe
PID 216 wrote to memory of 1584	216	SevenCopy.exe	cmd.exe
PID 216 wrote to memory of 1584	216	SevenCopy.exe	cmd.exe
PID 216 wrote to memory of 3548	216	SevenCopy.exe	cmd.exe
PID 216 wrote to memory of 3548	216	SevenCopy.exe	cmd.exe
PID 216 wrote to memory of 4640	216	SevenCopy.exe	cmd.exe
PID 216 wrote to memory of 4640	216	SevenCopy.exe	cmd.exe
PID 984 wrote to memory of 3712	984	cmd.exe	choice.exe
PID 984 wrote to memory of 3712	984	cmd.exe	choice.exe
PID 216 wrote to memory of 4060	216	SevenCopy.exe	cmd.exe
PID 216 wrote to memory of 4060	216	SevenCopy.exe	cmd.exe
PID 216 wrote to memory of 4428	216	SevenCopy.exe	cmd.exe
PID 216 wrote to memory of 4428	216	SevenCopy.exe	cmd.exe
PID 216 wrote to memory of 3636	216	SevenCopy.exe	cmd.exe
PID 216 wrote to memory of 3636	216	SevenCopy.exe	cmd.exe
PID 216 wrote to memory of 4708	216	SevenCopy.exe	cmd.exe
PID 216 wrote to memory of 4708	216	SevenCopy.exe	cmd.exe
PID 1084 wrote to memory of 1508	1084	cmd.exe	choice.exe
PID 1084 wrote to memory of 1508	1084	cmd.exe	choice.exe
PID 1588 wrote to memory of 2372	1588	cmd.exe	choice.exe
PID 1588 wrote to memory of 2372	1588	cmd.exe	choice.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

Seven.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua = "1"	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "1"	Seven.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Views/modifies file attributes 1 TTPs 3 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exe

pid process

4292 attrib.exe
3384 attrib.exe
4224 attrib.exe

pid	process
4292	attrib.exe
3384	attrib.exe
4224	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Seven.exe
"C:\Users\Admin\AppData\Local\Temp\Seven.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4868

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2916

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.exe C:\Users\Admin\AppData\Local\Temp\SevenCopy.exe
2⤵
PID:2080

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.exe C:\Windows\System32\SevenCopy.exe
2⤵
PID:776

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C attrib +h C:\Windows\System32\SevenCopy.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2696

C:\Windows\system32\attrib.exe
attrib +h C:\Windows\System32\SevenCopy.exe
3⤵
- Views/modifies file attributes
PID:4292

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.dll C:\Windows\System32\Seven.dll
2⤵
PID:3456

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.runtimeconfig.json C:\Windows\System32\Seven.runtimeconfig.json
2⤵
PID:2748

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C attrib +h C:\Windows\System32\Seven.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:4120

C:\Windows\system32\attrib.exe
attrib +h C:\Windows\System32\Seven.dll
3⤵
- Views/modifies file attributes
PID:3384

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C attrib +h C:\Windows\System32\Seven.runtimeconfig.json
2⤵
- Suspicious use of WriteProcessMemory
PID:3104

C:\Windows\system32\attrib.exe
attrib +h C:\Windows\System32\Seven.runtimeconfig.json
3⤵
- Views/modifies file attributes
PID:4224

C:\Users\Admin\AppData\Local\Temp\SevenCopy.exe
"C:\Users\Admin\AppData\Local\Temp\SevenCopy.exe"
2⤵
- Deletes itself
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious use of WriteProcessMemory
PID:216

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2010_x64.log-MSI_vc_red.msi.txt"
3⤵
- Suspicious use of WriteProcessMemory
PID:3140

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:1896

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2010_x64.log.html"
3⤵
- Suspicious use of WriteProcessMemory
PID:984

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:3712

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2010_x86.log-MSI_vc_red.msi.txt"
3⤵
- Suspicious use of WriteProcessMemory
PID:1084

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:1508

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2010_x86.log.html"
3⤵
- Suspicious use of WriteProcessMemory
PID:1588

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:2372

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log"
3⤵
PID:2560

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:2616

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log"
3⤵
PID:3964

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:396

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2012_x86_0_vcRuntimeMinimum_x86.log"
3⤵
PID:436

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:4012

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2012_x86_1_vcRuntimeAdditional_x86.log"
3⤵
PID:5100

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:1552

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log"
3⤵
PID:3620

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:3628

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log"
3⤵
PID:1584

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:3812

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2013_x86_000_vcRuntimeMinimum_x86.log"
3⤵
PID:3548

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:3520

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2013_x86_001_vcRuntimeAdditional_x86.log"
3⤵
PID:4640

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:4588

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2022_x64_000_vcRuntimeMinimum_x64.log"
3⤵
PID:4060

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:5052

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2022_x64_001_vcRuntimeAdditional_x64.log"
3⤵
PID:4428

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:4832

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2022_x86_000_vcRuntimeMinimum_x86.log"
3⤵
PID:3636

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:1236

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2022_x86_001_vcRuntimeAdditional_x86.log"
3⤵
PID:4708

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:4908

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Desktop\ApproveSuspend.pptx"
3⤵
PID:1176

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:7860

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Desktop\PopMount.png"
3⤵
PID:2732

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:7464

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\Are.docx"
3⤵
PID:3088

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:7980

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\AssertSwitch.docx"
3⤵
PID:3420

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:6516

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\BlockRequest.odt"
3⤵
PID:4292

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:8204

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\ClearExpand.txt"
3⤵
PID:3384

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:8788

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\CompareDebug.xls"
3⤵
PID:4336

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:10016

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\DismountRedo.xml"
3⤵
PID:1060

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:8288

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\EnterSearch.pdf"
3⤵
PID:4564

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:10056

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\Files.docx"
3⤵
PID:440

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:8196

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\NewRestore.pdf"
3⤵
PID:4720

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:8336

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\Opened.docx"
3⤵
PID:4680

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:10376

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\OptimizeUpdate.xml"
3⤵
PID:2716

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:8348

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\PublishDisconnect.xls"
3⤵
PID:3688

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:10896

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\Recently.docx"
3⤵
PID:5056

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:8800

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\RepairMount.xlsx"
3⤵
PID:1216

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:8320

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\ResetAssert.xml"
3⤵
PID:4180

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:9400

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\These.docx"
3⤵
PID:4320

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:10748

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Downloads\TraceEdit.pdf"
3⤵
PID:4656

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:10384

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Downloads\UnprotectBackup.docx"
3⤵
PID:3220

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:7232

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Downloads\WriteConvertFrom.bmp"
3⤵
PID:776

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:10924

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Links\Desktop.lnk"
3⤵
PID:4120

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:10916

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Links\Downloads.lnk"
3⤵
PID:4792

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:10908

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Pictures\CompareInstall.bmp"
3⤵
PID:3240

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:10872

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Pictures\ConfirmWait.jpg"
3⤵
PID:3312

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:10932

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Pictures\My Wallpaper.jpg"
3⤵
PID:4476

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:10956

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Pictures\RedoDismount.bmp"
3⤵
PID:2368

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:10948

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Pictures\ResetTest.png"
3⤵
PID:3152

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:9576

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BroadcastMsg_1714135627.txt"
3⤵
PID:3616

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:10492

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt"
3⤵
PID:3704

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:11208

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI473A.txt"
3⤵
PID:4512

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:10480

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI475A.txt"
3⤵
PID:5184

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:10940

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI473A.txt"
3⤵
PID:5200

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:10452

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI475A.txt"
3⤵
PID:5212

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:10356

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\jawshtml.html"
3⤵
PID:5224

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:11172

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20240426_124230482.html"
3⤵
PID:5244

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:10500

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt"
3⤵
PID:5268

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:11164

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.VisualElementsManifest.xml"
3⤵
PID:5280

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:11180

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt"
3⤵
PID:5300

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:10964

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt"
3⤵
PID:5324

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:10700

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml"
3⤵
PID:5340

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:10708

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml"
3⤵
PID:5364

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:9532

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\msoia.exe_Rules.xml"
3⤵
PID:5380

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:11188

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\office2016setup.exe_Rules.xml"
3⤵
PID:5400

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:10472

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml"
3⤵
PID:5464

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:10444

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\onenote.exe_Rules.xml"
3⤵
PID:5556

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15220

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml"
3⤵
PID:5600

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:10692

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\alertIcon.png"
3⤵
PID:5728

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:10740

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppBlue.png"
3⤵
PID:5748

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:10724

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorBlue.png"
3⤵
PID:5768

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:9648

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorWhite.png"
3⤵
PID:5788

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:10716

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppWhite.png"
3⤵
PID:5812

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:10684

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.png"
3⤵
PID:5828

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:10460

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppBlue.png"
3⤵
PID:5844

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15196

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppWhite.png"
3⤵
PID:5864

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:7304

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Error.png"
3⤵
PID:6032

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:8852

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ErrorPage.html"
3⤵
PID:4076

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:10068

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMHeroToast.png"
3⤵
PID:5584

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:10508

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMLockedFileToast.png"
3⤵
PID:5724

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:8392

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMScanExclusionToast.png"
3⤵
PID:5548

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:1476

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\LoadingPage.html"
3⤵
PID:5928

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:10540

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveLogo.png"
3⤵
PID:5824

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:8264

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaCritical.png"
3⤵
PID:6108

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:11252

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaError.png"
3⤵
PID:5972

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:6800

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaNearing.png"
3⤵
PID:6152

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:8624

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\TestSharePage.html"
3⤵
PID:6212

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:4900

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ThirdPartyNotices.txt"
3⤵
PID:6244

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:9472

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Warning.png"
3⤵
PID:6356

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:1236

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-100.png"
3⤵
PID:6372

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:14500

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-125.png"
3⤵
PID:6392

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:2852

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-150.png"
3⤵
PID:6548

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:720

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-200.png"
3⤵
PID:6568

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:14404

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-400.png"
3⤵
PID:6580

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:14516

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-100.png"
3⤵
PID:6592

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:10984

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-125.png"
3⤵
PID:6604

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:10436

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-150.png"
3⤵
PID:6616

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:396

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-200.png"
3⤵
PID:6628

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:14420

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-400.png"
3⤵
PID:6640

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:8836

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-100.png"
3⤵
PID:6660

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:4452

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-125.png"
3⤵
PID:6676

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:2376

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-150.png"
3⤵
PID:6688

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:14408

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-200.png"
3⤵
PID:6700

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:14492

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-400.png"
3⤵
PID:6712

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15396

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-100.png"
3⤵
PID:6724

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:14528

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-125.png"
3⤵
PID:6736

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:14564

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-150.png"
3⤵
PID:6752

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:14436

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-200.png"
3⤵
PID:6764

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:14476

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png"
3⤵
PID:6776

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:14508

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-100.png"
3⤵
PID:6792

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:12004

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-125.png"
3⤵
PID:6804

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:14484

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-150.png"
3⤵
PID:6816

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:5052

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-200.png"
3⤵
PID:6832

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:5108

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-400.png"
3⤵
PID:6844

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:14552

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-100.png"
3⤵
PID:6856

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:1892

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-125.png"
3⤵
PID:6868

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:1884

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-150.png"
3⤵
PID:6880

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:3520

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-200.png"
3⤵
PID:6896

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:12028

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-400.png"
3⤵
PID:6908

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:14532

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\Shell\DefaultLayouts.xml"
3⤵
PID:6924

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:1552

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk"
3⤵
PID:7164

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:2820

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk"
3⤵
PID:5264

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:9328

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk"
3⤵
PID:7312

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:10848

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk"
3⤵
PID:7324

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:2316

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Are.docx.lnk"
3⤵
PID:7340

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:11760

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Files.docx.lnk"
3⤵
PID:7356

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:9084

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\ms-gamingoverlay--kglcheck-.lnk"
3⤵
PID:7384

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:10796

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Opened.docx.lnk"
3⤵
PID:7400

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:2020

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Recently.docx.lnk"
3⤵
PID:7416

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:12256

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\The Internet.lnk"
3⤵
PID:7436

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:12248

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\These.docx.lnk"
3⤵
PID:7448

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:12524

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Fax Recipient.lnk"
3⤵
PID:7476

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:10304

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk"
3⤵
PID:7524

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:8920

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\images\blurrect.png"
3⤵
PID:7536

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:9688

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\1 - Desktop.lnk"
3⤵
PID:7552

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:9044

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\1 - Run.lnk"
3⤵
PID:7572

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:9076

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\2 - Search.lnk"
3⤵
PID:7588

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:1980

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\3 - Windows Explorer.lnk"
3⤵
PID:7604

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:9864

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\4 - Control Panel.lnk"
3⤵
PID:7620

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:1684

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\5 - Task Manager.lnk"
3⤵
PID:7892

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15496

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\01 - Command Prompt.lnk"
3⤵
PID:7904

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15388

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\01a - Windows PowerShell.lnk"
3⤵
PID:7916

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:12048

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\02 - Command Prompt.lnk"
3⤵
PID:8176

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:14556

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\02a - Windows PowerShell.lnk"
3⤵
PID:6732

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15404

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\03 - Computer Management.lnk"
3⤵
PID:6828

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15624

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\04 - Disk Management.lnk"
3⤵
PID:6904

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15512

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\04-1 - NetworkStatus.lnk"
3⤵
PID:6612

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15504

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\05 - Device Manager.lnk"
3⤵
PID:7644

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15488

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\06 - SystemAbout.lnk"
3⤵
PID:7508

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:1648

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\07 - Event Viewer.lnk"
3⤵
PID:6852

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15576

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\08 - PowerAndSleep.lnk"
3⤵
PID:8328

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15640

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\09 - Mobility Center.lnk"
3⤵
PID:8488

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:14428

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\10 - AppsAndFeatures.lnk"
3⤵
PID:8504

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15632

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586085280888932.txt"
3⤵
PID:8520

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:14648

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586085966055628.txt"
3⤵
PID:8532

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15708

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586086206312543.txt"
3⤵
PID:8548

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:216

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586086279146572.txt"
3⤵
PID:8568

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:4952

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586086489672153.txt"
3⤵
PID:8592

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15616

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586086519342437.txt"
3⤵
PID:8612

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:2332

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586086580751035.txt"
3⤵
PID:8636

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:1076

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586086778327262.txt"
3⤵
PID:8656

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15692

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586086798249226.txt"
3⤵
PID:8668

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15428

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586088054759135.txt"
3⤵
PID:8680

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15804

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586088680666336.txt"
3⤵
PID:8696

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16212

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586092157337803.txt"
3⤵
PID:8968

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15596

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586092457469885.txt"
3⤵
PID:8980

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15864

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586092759102724.txt"
3⤵
PID:9204

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:1056

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586093118861419.txt"
3⤵
PID:7968

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:3628

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586093532550880.txt"
3⤵
PID:9264

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15908

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586093718685787.txt"
3⤵
PID:9352

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:14832

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586095008010161.txt"
3⤵
PID:9368

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16044

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586095322670126.txt"
3⤵
PID:9388

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:2552

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586095622852471.txt"
3⤵
PID:9404

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16300

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586096481601425.txt"
3⤵
PID:9432

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15664

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586119079798965.txt"
3⤵
PID:9452

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:3352

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\SettingsCache.txt"
3⤵
PID:9484

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15456

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk"
3⤵
PID:9500

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15940

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
3⤵
PID:9544

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:5044

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\AlternateServices.txt"
3⤵
PID:9556

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16380

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\pkcs11.txt"
3⤵
PID:9568

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15848

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nzxw1g49.default-release\SiteSecurityServiceState.txt"
3⤵
PID:9592

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15948

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6DEZ09S4\known_providers_download_v1[1].xml"
3⤵
PID:9624

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15656

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GO42234Z\update100[1].xml"
3⤵
PID:9636

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15812

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\squaretile.png"
3⤵
PID:9668

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15648

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\tinytile.png"
3⤵
PID:9960

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:2924

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\squaretile.png"
3⤵
PID:10184

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16284

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\tinytile.png"
3⤵
PID:10196

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16172

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\squaretile.png"
3⤵
PID:10216

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16276

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\tinytile.png"
3⤵
PID:10236

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:4268

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\7603651830\squaretile.png"
3⤵
PID:9056

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:3484

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\7603651830\tinytile.png"
3⤵
PID:9032

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15956

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{33cca336-bc0b-4bf5-81f7-72f383d59d45}\0.0.filtertrie.intermediate.txt"
3⤵
PID:6788

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:3636

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{33cca336-bc0b-4bf5-81f7-72f383d59d45}\0.1.filtertrie.intermediate.txt"
3⤵
PID:9588

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16036

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{33cca336-bc0b-4bf5-81f7-72f383d59d45}\0.2.filtertrie.intermediate.txt"
3⤵
PID:9428

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:2700

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{5b7d796b-42ab-4f4e-88b0-1a31bb688b07}\0.0.filtertrie.intermediate.txt"
3⤵
PID:10576

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:1084

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{5b7d796b-42ab-4f4e-88b0-1a31bb688b07}\0.1.filtertrie.intermediate.txt"
3⤵
PID:10600

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15996

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{5b7d796b-42ab-4f4e-88b0-1a31bb688b07}\0.2.filtertrie.intermediate.txt"
3⤵
PID:10612

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16092

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{e2c42ba2-19d2-4e2d-8e17-d9665b28c25e}\0.0.filtertrie.intermediate.txt"
3⤵
PID:10632

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16148

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{e2c42ba2-19d2-4e2d-8e17-d9665b28c25e}\0.1.filtertrie.intermediate.txt"
3⤵
PID:10648

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:2312

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{e2c42ba2-19d2-4e2d-8e17-d9665b28c25e}\0.2.filtertrie.intermediate.txt"
3⤵
PID:10660

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15684

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{7c78f2af-cc60-4ebe-917f-65cfd08ceb41}\appsconversions.txt"
3⤵
PID:10760

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15676

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{7c78f2af-cc60-4ebe-917f-65cfd08ceb41}\appsglobals.txt"
3⤵
PID:10808

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16028

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{7c78f2af-cc60-4ebe-917f-65cfd08ceb41}\appssynonyms.txt"
3⤵
PID:10828

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15736

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{7c78f2af-cc60-4ebe-917f-65cfd08ceb41}\settingsconversions.txt"
3⤵
PID:10864

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16156

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{7c78f2af-cc60-4ebe-917f-65cfd08ceb41}\settingsglobals.txt"
3⤵
PID:10884

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:2412

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{7c78f2af-cc60-4ebe-917f-65cfd08ceb41}\settingssynonyms.txt"
3⤵
PID:10988

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:4708

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{021d2433-3ee9-4590-bdbe-3995198298a8}\0.0.filtertrie.intermediate.txt"
3⤵
PID:11000

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:1872

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{021d2433-3ee9-4590-bdbe-3995198298a8}\0.1.filtertrie.intermediate.txt"
3⤵
PID:11012

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:2408

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{021d2433-3ee9-4590-bdbe-3995198298a8}\0.2.filtertrie.intermediate.txt"
3⤵
PID:11024

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:4640

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{7ec85bca-bbb0-41ec-8dd1-40aa1ad30532}\0.0.filtertrie.intermediate.txt"
3⤵
PID:11040

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:3964

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{7ec85bca-bbb0-41ec-8dd1-40aa1ad30532}\0.1.filtertrie.intermediate.txt"
3⤵
PID:11052

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:1816

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{7ec85bca-bbb0-41ec-8dd1-40aa1ad30532}\0.2.filtertrie.intermediate.txt"
3⤵
PID:11068

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:4596

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\File Explorer.lnk"
3⤵
PID:11080

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15380

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Firefox.lnk"
3⤵
PID:11096

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:1908

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk"
3⤵
PID:11112

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:14540

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk"
3⤵
PID:11128

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:2064

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Magnify.lnk"
3⤵
PID:11148

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:3528

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Narrator.lnk"
3⤵
PID:11224

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16392

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\On-Screen Keyboard.lnk"
3⤵
PID:11236

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:1876

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk"
3⤵
PID:9616

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15720

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Administrative Tools.lnk"
3⤵
PID:9992

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15972

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Command Prompt.lnk"
3⤵
PID:9256

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:4480

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\computer.lnk"
3⤵
PID:10192

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16164

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Control Panel.lnk"
3⤵
PID:10156

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16104

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk"
3⤵
PID:11280

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16292

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Run.lnk"
3⤵
PID:11296

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:4928

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell (x86).lnk"
3⤵
PID:11320

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16072

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk"
3⤵
PID:11336

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16592

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.76.1_0\128.png"
3⤵
PID:11352

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:3736

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.76.1_0\offscreendocument.html"
3⤵
PID:11368

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:1916

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\5GKYR5FN\www.bing[1].xml"
3⤵
PID:11384

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16056

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\MS6XK32D\microsoft.windows[1].xml"
3⤵
PID:11396

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:4644

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\craw_window.html"
3⤵
PID:11408

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:4396

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\icon_128.png"
3⤵
PID:11424

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16364

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\icon_16.png"
3⤵
PID:11444

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16316

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\topbar_floating_button.png"
3⤵
PID:11460

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:1636

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\topbar_floating_button_close.png"
3⤵
PID:11472

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16452

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\topbar_floating_button_hover.png"
3⤵
PID:11488

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:724

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\topbar_floating_button_maximize.png"
3⤵
PID:11508

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16324

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\topbar_floating_button_pressed.png"
3⤵
PID:11532

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:2036

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\128.png"
3⤵
PID:11584

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:3716

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\192.png"
3⤵
PID:11788

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:3548

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\256.png"
3⤵
PID:11808

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16372

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\32.png"
3⤵
PID:11840

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:436

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\48.png"
3⤵
PID:11872

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:3212

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\64.png"
3⤵
PID:12200

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:4700

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\96.png"
3⤵
PID:12216

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:4488

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\128.png"
3⤵
PID:12240

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16516

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\192.png"
3⤵
PID:12272

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15772

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\256.png"
3⤵
PID:12284

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:1496

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\32.png"
3⤵
PID:12296

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:3408

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\48.png"
3⤵
PID:12800

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:1768

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\64.png"
3⤵
PID:12816

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:3032

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\96.png"
3⤵
PID:12836

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16132

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\128.png"
3⤵
PID:12872

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16492

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\192.png"
3⤵
PID:12888

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16524

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\256.png"
3⤵
PID:12904

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16484

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\32.png"
3⤵
PID:12916

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16728

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\48.png"
3⤵
PID:12932

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:552

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\64.png"
3⤵
PID:12956

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16756

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\96.png"
3⤵
PID:12972

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16736

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\128.png"
3⤵
PID:13016

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16400

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\192.png"
3⤵
PID:13032

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16508

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\256.png"
3⤵
PID:13056

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16500

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\32.png"
3⤵
PID:13068

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16584

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\48.png"
3⤵
PID:13084

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16468

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\64.png"
3⤵
PID:13100

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16852

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\96.png"
3⤵
PID:13116

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16408

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\128.png"
3⤵
PID:13208

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16772

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\192.png"
3⤵
PID:12280

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:4420

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\256.png"
3⤵
PID:13512

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16648

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\32.png"
3⤵
PID:13528

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16436

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\48.png"
3⤵
PID:13552

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:2968

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\64.png"
3⤵
PID:13564

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16572

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\96.png"
3⤵
PID:13584

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16064

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\128.png"
3⤵
PID:13612

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16660

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\192.png"
3⤵
PID:13624

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16844

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\256.png"
3⤵
PID:13644

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16764

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\32.png"
3⤵
PID:13672

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16744

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\48.png"
3⤵
PID:13692

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16780

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\64.png"
3⤵
PID:13704

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16636

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\96.png"
3⤵
PID:13716

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16532

C:\Users\Admin\AppData\Local\Temp\SevenCopy.exe
"C:\Users\Admin\AppData\Local\Temp\SevenCopy.exe"
3⤵
- Executes dropped EXE
PID:14568

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Links\Desktop.lnk"
4⤵
PID:17272

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:17796

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Links\Downloads.lnk"
4⤵
PID:17288

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:18164

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BroadcastMsg_1714135627.txt"
4⤵
PID:17304

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:17804

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt"
4⤵
PID:17336

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:17812

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI473A.txt"
4⤵
PID:17360

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:18356

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI475A.txt"
4⤵
PID:17268

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI473A.txt"
4⤵
PID:17264

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI475A.txt"
4⤵
PID:17416

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\jawshtml.html"
4⤵
PID:17464

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:1688

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20240426_124230482.html"
4⤵
PID:17500

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:18344

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt"
4⤵
PID:17524

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.VisualElementsManifest.xml"
4⤵
PID:17560

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt"
4⤵
PID:17592

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt"
4⤵
PID:17624

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml"
4⤵
PID:17652

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml"
4⤵
PID:17700

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\msoia.exe_Rules.xml"
4⤵
PID:17728

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\office2016setup.exe_Rules.xml"
4⤵
PID:17772

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml"
4⤵
PID:17828

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\onenote.exe_Rules.xml"
4⤵
PID:17884

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml"
4⤵
PID:17948

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\alertIcon.png"
4⤵
PID:17988

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppBlue.png"
4⤵
PID:18036

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:18388

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorBlue.png"
4⤵
PID:18076

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorWhite.png"
4⤵
PID:18128

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:18392

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppWhite.png"
4⤵
PID:18156

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.png"
4⤵
PID:18180

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:3296

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppBlue.png"
4⤵
PID:18196

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppWhite.png"
4⤵
PID:18224

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Error.png"
4⤵
PID:18240

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ErrorPage.html"
4⤵
PID:18260

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMHeroToast.png"
4⤵
PID:18284

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMLockedFileToast.png"
4⤵
PID:18300

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMScanExclusionToast.png"
4⤵
PID:18316

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\LoadingPage.html"
4⤵
PID:18332

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveLogo.png"
4⤵
PID:18348

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaCritical.png"
4⤵
PID:18372

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 516 -p 14568 -ip 14568
1⤵
PID:7464

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:17944

C:\Windows\System32\SevenCopy.exe
C:\Windows\System32\SevenCopy.exe
1⤵
- Executes dropped EXE
PID:17908

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\New folder.lnk"
2⤵
PID:6244

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
3⤵
PID:5132

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133587416120412367.txt"
2⤵
PID:7156

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
3⤵
PID:4580

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133587416418758765.txt"
2⤵
PID:8836

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
3⤵
PID:18080

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
2⤵
PID:6640

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
3⤵
PID:4960

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
2⤵
- Executes dropped EXE
PID:18156

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\New folder.lnk"
3⤵
PID:6516

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:2716

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133587416120412367.txt"
3⤵
PID:2888

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:3980

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133587416418758765.txt"
3⤵
PID:8208

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:6608

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
3⤵
PID:4292

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:6352

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
3⤵
- Executes dropped EXE
PID:3088

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\New folder.lnk"
4⤵
PID:3700

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:6484

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133587416120412367.txt"
4⤵
PID:1060

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:13292

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133587416418758765.txt"
4⤵
PID:6972

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:6412

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
4⤵
PID:6968

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:6408

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
4⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:10048

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\New folder.lnk"
5⤵
PID:7272

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
6⤵
PID:7356

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133587416120412367.txt"
5⤵
PID:6384

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
6⤵
PID:8920

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133587416418758765.txt"
5⤵
PID:5436

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
6⤵
PID:9692

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
5⤵
PID:4724

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
6⤵
PID:7992

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
5⤵
- Executes dropped EXE
PID:9044

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\New folder.lnk"
6⤵
PID:5856

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
7⤵
PID:8584

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133587416120412367.txt"
6⤵
PID:5364

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
7⤵
PID:468

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133587416418758765.txt"
6⤵
PID:5920

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
7⤵
PID:10360

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
6⤵
PID:6320

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
7⤵
PID:7884

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
6⤵
- Executes dropped EXE
PID:7536

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\New folder.lnk"
7⤵
PID:12444

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
8⤵
PID:7800

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133587416120412367.txt"
7⤵
PID:6208

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
8⤵
PID:6328

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133587416418758765.txt"
7⤵
PID:5256

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
8⤵
PID:6288

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
7⤵
PID:10800

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
8⤵
PID:6452

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
7⤵
- Executes dropped EXE
PID:7388

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\New folder.lnk"
8⤵
PID:6200

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
9⤵
PID:6508

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133587416120412367.txt"
8⤵
PID:3220

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
9⤵
PID:6136

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133587416418758765.txt"
8⤵
PID:10476

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
9⤵
PID:6272

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
8⤵
PID:8976

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
9⤵
PID:6168

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
8⤵
- Executes dropped EXE
PID:12924

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\New folder.lnk"
9⤵
PID:5704

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
10⤵
PID:3224

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133587416120412367.txt"
9⤵
PID:5312

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
10⤵
PID:6188

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133587416418758765.txt"
9⤵
PID:13076

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
10⤵
PID:4632

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
9⤵
PID:5356

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
10⤵
PID:13012

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
9⤵
- Executes dropped EXE
PID:5940

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\New folder.lnk"
10⤵
PID:5860

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
11⤵
PID:10080

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133587416120412367.txt"
10⤵
PID:5324

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
11⤵
PID:10936

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133587416418758765.txt"
10⤵
PID:6416

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
11⤵
PID:11764

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
10⤵
PID:10684

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
11⤵
PID:10720

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
10⤵
- Executes dropped EXE
PID:5308

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\New folder.lnk"
11⤵
PID:4376

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
12⤵
PID:11188

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133587416120412367.txt"
11⤵
PID:13324

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
12⤵
PID:12112

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133587416418758765.txt"
11⤵
PID:13268

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
12⤵
PID:10968

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
11⤵
PID:13980

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
12⤵
PID:10920

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
11⤵
- Executes dropped EXE
PID:13352

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\New folder.lnk"
12⤵
PID:10036

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
13⤵
PID:5936

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133587416120412367.txt"
12⤵
PID:9772

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
13⤵
PID:5280

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133587416418758765.txt"
12⤵
PID:8560

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
13⤵
PID:6528

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
12⤵
PID:13096

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
13⤵
PID:6172

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
12⤵
- Executes dropped EXE
PID:6364

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
13⤵
- Executes dropped EXE
PID:6304

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
14⤵
- Executes dropped EXE
PID:5652

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
15⤵
- Executes dropped EXE
PID:6932

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
16⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:6176

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
17⤵
- Executes dropped EXE
PID:5640

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
18⤵
- Executes dropped EXE
PID:6180

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
19⤵
- Executes dropped EXE
PID:6792

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
20⤵
- Executes dropped EXE
PID:6340

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
21⤵
- Executes dropped EXE
PID:14524

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
22⤵
- Executes dropped EXE
PID:944

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
23⤵
- Executes dropped EXE
PID:5848

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
24⤵
- Executes dropped EXE
PID:14564

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
25⤵
- Executes dropped EXE
PID:6700

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
26⤵
PID:9280

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
27⤵
PID:11004

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
26⤵
- Executes dropped EXE
PID:9748

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
27⤵
- Executes dropped EXE
PID:15484

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
28⤵
- Executes dropped EXE
PID:7568

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
29⤵
- Executes dropped EXE
PID:10344

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
30⤵
- Executes dropped EXE
PID:14544

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
31⤵
- Executes dropped EXE
PID:4124

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
32⤵
- Executes dropped EXE
PID:14428

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
33⤵
- Executes dropped EXE
PID:15488

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
34⤵
- Executes dropped EXE
PID:13140

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
35⤵
- Executes dropped EXE
PID:9168

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
36⤵
- Executes dropped EXE
PID:8176

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
37⤵
- Executes dropped EXE
PID:8932

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
38⤵
- Executes dropped EXE
PID:7672

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
39⤵
- Executes dropped EXE
PID:9476

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
40⤵
- Executes dropped EXE
PID:10844

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
41⤵
- Executes dropped EXE
PID:14504

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
42⤵
- Executes dropped EXE
PID:1584

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
43⤵
- Executes dropped EXE
PID:7432

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
44⤵
- Executes dropped EXE
PID:7180

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
45⤵
- Executes dropped EXE
PID:10736

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
46⤵
- Executes dropped EXE
PID:8512

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
47⤵
- Executes dropped EXE
PID:16060

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
48⤵
- Executes dropped EXE
PID:11592

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
49⤵
- Executes dropped EXE
PID:9296

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
50⤵
- Executes dropped EXE
PID:8412

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
51⤵
- Executes dropped EXE
PID:15412

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
52⤵
- Executes dropped EXE
PID:12504

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
53⤵
- Executes dropped EXE
PID:2348

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:8960

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
55⤵
- Executes dropped EXE
PID:8156

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
56⤵
- Executes dropped EXE
PID:10108

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:15896

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
58⤵
- Executes dropped EXE
PID:9876

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
59⤵
- Executes dropped EXE
PID:10416

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
60⤵
- Executes dropped EXE
PID:7192

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
61⤵
- Executes dropped EXE
PID:9496

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
62⤵
- Executes dropped EXE
PID:8424

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
63⤵
PID:16052

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
64⤵
PID:7624

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133587416720240166.txt"
65⤵
PID:12116

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
66⤵
PID:4904

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
65⤵
PID:7716

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133587416720240166.txt"
66⤵
PID:9936

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
67⤵
PID:7076

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
66⤵
PID:7776

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133587416720240166.txt"
67⤵
PID:16564

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
68⤵
PID:1916

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
67⤵
PID:16552

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133587416720240166.txt"
68⤵
PID:16204

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
69⤵
PID:12328

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
68⤵
PID:16116

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133587416720240166.txt"
69⤵
PID:16328

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
70⤵
PID:16332

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
69⤵
- Drops file in System32 directory
PID:12720

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133587416720240166.txt"
70⤵
PID:16324

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
71⤵
PID:11056

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
70⤵
PID:720

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133587416720240166.txt"
71⤵
PID:12496

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
72⤵
PID:9308

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
71⤵
PID:12480

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133587416720240166.txt"
72⤵
PID:9500

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
73⤵
PID:16876

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
72⤵
PID:12408

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133587416720240166.txt"
73⤵
PID:2552

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
74⤵
PID:10256

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
73⤵
PID:12472

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133587416720240166.txt"
74⤵
PID:10204

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
75⤵
PID:10312

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
74⤵
PID:14264

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133587416720240166.txt"
75⤵
PID:9728

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
76⤵
PID:16216

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
75⤵
PID:12944

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133587416720240166.txt"
76⤵
PID:12596

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
77⤵
PID:16732

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
76⤵
PID:13036

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\New Compressed (zipped) Folder.zip.lnk"
77⤵
PID:16928

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
78⤵
PID:16172

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133587416720240166.txt"
77⤵
PID:12100

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
78⤵
PID:16976

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
77⤵
PID:16380

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\New Compressed (zipped) Folder.zip.lnk"
78⤵
PID:12912

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
79⤵
PID:12612

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
78⤵
PID:11928

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\New Compressed (zipped) Folder.zip.lnk"
79⤵
PID:12196

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
80⤵
PID:17036

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
79⤵
PID:13232

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\New Compressed (zipped) Folder.zip.lnk"
80⤵
PID:1952

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
81⤵
PID:4372

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
80⤵
PID:14932

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\New Compressed (zipped) Folder.zip.lnk"
81⤵
PID:15036

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
82⤵
PID:17096

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
81⤵
PID:10584

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\New Compressed (zipped) Folder.zip.lnk"
82⤵
PID:17112

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
83⤵
PID:13588

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
82⤵
PID:17116

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\New Compressed (zipped) Folder.zip.lnk"
83⤵
PID:16404

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
84⤵
PID:16708

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
83⤵
PID:16396

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\New Compressed (zipped) Folder.zip.lnk"
84⤵
PID:14968

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
85⤵
PID:17152

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
84⤵
PID:13892

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\New Compressed (zipped) Folder.zip.lnk"
85⤵
PID:12056

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
86⤵
PID:17176

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
85⤵
PID:12756

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\New Compressed (zipped) Folder.zip.lnk"
86⤵
PID:3716

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
87⤵
PID:10404

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
86⤵
PID:4268

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\New Compressed (zipped) Folder.zip.lnk"
87⤵
PID:3116

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
88⤵
PID:13708

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
87⤵
- Drops file in System32 directory
PID:17208

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\New Compressed (zipped) Folder.zip.lnk"
88⤵
PID:4880

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
89⤵
PID:17240

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
88⤵
PID:14652

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\New Compressed (zipped) Folder.zip.lnk"
89⤵
PID:14296

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
90⤵
PID:12872

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
89⤵
PID:15016

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\New Compressed (zipped) Folder.zip.lnk"
90⤵
PID:10628

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
91⤵
PID:13572

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
90⤵
PID:9752

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
91⤵
- Drops file in System32 directory
PID:14160

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
92⤵
PID:9544

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
93⤵
PID:13728

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
94⤵
PID:13872

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
95⤵
PID:11844

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
96⤵
PID:11400

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
97⤵
- Drops file in System32 directory
PID:13508

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
98⤵
PID:15260

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
99⤵
PID:12336

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
100⤵
PID:14772

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
101⤵
PID:12556

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
102⤵
PID:14948

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
103⤵
PID:14076

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
104⤵
PID:12888

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
105⤵
- Drops file in System32 directory
PID:13900

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
106⤵
PID:14944

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
107⤵
PID:452

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
108⤵
PID:13648

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
109⤵
PID:14856

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
110⤵
PID:14284

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
111⤵
PID:17392

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
112⤵
PID:17452

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
113⤵
PID:18344

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
114⤵
PID:18036

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
115⤵
- Drops file in System32 directory
PID:18392

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
116⤵
PID:17980

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
117⤵
PID:18092

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
118⤵
PID:4436

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
119⤵
PID:17840

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
120⤵
PID:900

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
121⤵
PID:17584

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
122⤵
PID:18164

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
123⤵
PID:8204

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
124⤵
PID:8268

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
125⤵
PID:1512

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
126⤵
PID:10024

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
127⤵
PID:11156

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
128⤵
PID:8772

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
129⤵
PID:5244

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
130⤵
PID:5144

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
131⤵
PID:7020

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
132⤵
PID:5700

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
133⤵
- Drops file in System32 directory
PID:5492

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
134⤵
PID:5224

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
135⤵
PID:4532

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
136⤵
PID:3244

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
137⤵
PID:10924

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
136⤵
PID:5420

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
137⤵
PID:9180

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
138⤵
PID:5672

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
137⤵
PID:6644

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
138⤵
PID:5452

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
139⤵
PID:5584

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
138⤵
PID:5556

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
139⤵
PID:8480

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
140⤵
PID:9424

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
139⤵
PID:7276

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
140⤵
PID:1708

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
141⤵
PID:7872

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
140⤵
PID:3504

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
141⤵
PID:6456

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
142⤵
PID:7828

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
141⤵
PID:7012

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
142⤵
PID:6944

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
143⤵
PID:4996

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
142⤵
PID:5668

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
143⤵
PID:8340

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
144⤵
PID:9076

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
143⤵
PID:3092

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
144⤵
PID:7992

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
145⤵
PID:4724

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
144⤵
PID:6280

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
145⤵
PID:9048

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
146⤵
PID:6300

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
145⤵
PID:5760

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
146⤵
- Drops file in System32 directory
PID:4140

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
147⤵
PID:792

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
148⤵
PID:12164

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
149⤵
PID:5708

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
150⤵
PID:6020

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
151⤵
PID:7384

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
152⤵
PID:10464

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
153⤵
PID:13316

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
154⤵
PID:5892

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
155⤵
PID:8620

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
156⤵
PID:12428

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
157⤵
PID:9036

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
158⤵
PID:5628

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
159⤵
- Drops file in System32 directory
PID:9448

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
160⤵
PID:6016

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
161⤵
PID:11748

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
162⤵
PID:5592

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
163⤵
PID:1672

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
164⤵
PID:6444

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
165⤵
PID:12252

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
166⤵
PID:5812

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
167⤵
PID:14008

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
168⤵
PID:11760

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
169⤵
PID:7372

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
170⤵
PID:5936

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
171⤵
PID:5988

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
172⤵
PID:13024

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
173⤵
PID:6872

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
174⤵
PID:3604

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
175⤵
PID:11112

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
176⤵
PID:8160

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
177⤵
PID:15820

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
178⤵
- Drops file in System32 directory
PID:15672

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
179⤵
PID:9376

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
180⤵
PID:8636

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
181⤵
PID:8568

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
180⤵
PID:8572

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
181⤵
PID:9144

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
182⤵
PID:8848

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
181⤵
PID:9228

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
182⤵
PID:8328

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
183⤵
PID:8684

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
182⤵
PID:8956

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
183⤵
PID:15904

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
184⤵
PID:11600

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
183⤵
- Drops file in System32 directory
PID:15780

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
184⤵
PID:14520

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
185⤵
PID:6780

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
184⤵
PID:14924

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
185⤵
PID:14508

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
186⤵
PID:9304

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
185⤵
PID:16192

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
186⤵
PID:7512

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
187⤵
PID:11432

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
186⤵
PID:8172

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
187⤵
PID:10332

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
188⤵
PID:7732

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
187⤵
PID:9904

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
188⤵
PID:1520

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
189⤵
PID:10976

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
188⤵
PID:16360

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
189⤵
PID:7068

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
190⤵
PID:2132

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
189⤵
PID:15508

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
190⤵
PID:6512

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
191⤵
PID:6876

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
190⤵
PID:13740

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
191⤵
PID:15300

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
192⤵
PID:14132

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
191⤵
PID:14020

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
192⤵
PID:11544

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
193⤵
PID:8280

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
192⤵
PID:11380

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
193⤵
PID:11968

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
194⤵
PID:6908

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
193⤵
PID:11868

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
194⤵
PID:12276

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
195⤵
PID:2332

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
196⤵
PID:1712

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
197⤵
PID:11540

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
198⤵
- Drops file in System32 directory
PID:8872

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
199⤵
PID:8484

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
200⤵
PID:16296

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
201⤵
PID:15968

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
202⤵
PID:12104

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
203⤵
PID:8188

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
204⤵
PID:16188

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
205⤵
PID:2336

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
206⤵
PID:16680

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
207⤵
PID:2020

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
208⤵
PID:12720

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
209⤵
PID:16156

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
210⤵
PID:14148

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
211⤵
PID:10516

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
212⤵
PID:11908

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
213⤵
PID:9164

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
214⤵
PID:14144

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
215⤵
PID:11072

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt.420
Filesize
16B

MD5
6e28e6b8a91686a0da3fdafbd23b112e

SHA1
8d1cb166d929b2a05ebe44d3ec8574d84c96aa7e

SHA256
c043ec56a09ee9d453dc7d2330775fa9520b72cd2d39e232b34ddd0bd1c82f03

SHA512
b4c38a8e5c0237ff1c4bbf54a5e64e3a9cd9dfa6707fc1836dcb689cdaac967b263b71628bce4d38236ea3f529405eb16bb30b7979c5c3347030d616ab2086fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt.420
Filesize
16B

MD5
4e7b8da308e9908251bcf8312a787998

SHA1
cbaa9383a43b5d0dfa2555913528073736483ff6

SHA256
81847657e3c0f69839a0a4f82f1de288c12a93d14ed5a7defee73778b461fa28

SHA512
ab419a82335dacc0912f2366a57eaa756a99d774ca0b4ac4558e14d681daf35fe124b8a08af95f099c2ed7710467a332131a7dc07414551f8b84286804b76e6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml.420
Filesize
2KB

MD5
79c6d2f86802a292f41fa3c385f61fae

SHA1
c64a66a9a2f645bcb309ea9d10813f557a05294f

SHA256
5910fcb4482dd12e202860f1fc72fa144aa27b390fa275901092f9214398fe9d

SHA512
cbe4311403e3bdc10e33ca0ff2d8a380346769a01a9cddfce292eb5da3ef506a47570f301868acc7bf4e52b1a483dc984b9f35bdfbaea976f3da388e099bc6e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.420
Filesize
6KB

MD5
e1080419d13a4eb52d8658ed14d20637

SHA1
77a6697dd5711f38feaf10c07554cfb7bd88d771

SHA256
9c2665049ec9eebe0e8e5d18ba5c42c09744a237e4998047445ecd9d31b5fdeb

SHA512
c00acecea44789de1a8c5f4d5631dd1df4e179fb44a0ef43bdece26db74bf338e4f40183d377d995814c9e3ad2019833c33387488c043ae1d03de4cfe66b0889

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml.420
Filesize
321KB

MD5
585002fd4d920042c3df96a55b15265e

SHA1
8a3460d110c788735ee5318452be9d66e26cf803

SHA256
012a9ca399cafc89ce6de583f6759e283aaa6ace0ba18b879a70e67c71cd28d1

SHA512
5fdf32a7e064818cc8d3ce3dc3f12c11766630f76d58f93e7b0f44e093175cc2e584d34f05b85ac13747a1db297fe1e4de59333caa8daefd1900abfc43842d59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\msoia.exe_Rules.xml.420
Filesize
560B

MD5
ce7a2191490b33f6635bf3172acee6d8

SHA1
f02feff3160bca6d14b7169de2cb713c2310630b

SHA256
b9166a5fb3af0a1ca977221e0cd131e4c33a6bfb7e48bdde79822e9d69592784

SHA512
c801dacde4163bdf7ed6c21eb13e5acf2a7ce71b3f6f5a003e58f8580f2651b7adc543a3e680da9183262a1cb87bb796762b8ae86a1c8637cddd1f937f5231ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\office2016setup.exe_Rules.xml.420
Filesize
100KB

MD5
6df18ce09245971e338740f870084394

SHA1
a40043b2edff084d0524361d9854440eec48dede

SHA256
c5da6142ec5f836293652b73c9bf8fd91847c35f16cb5956e188ec6a7b1c0315

SHA512
f345482afaf6130cef932814a0dd957fb0c7ddf88190f634c911c4eb909a9f8032cf834ae898875a5f7a61df7a5669602cf1a426145e6a1902433477d86eeec8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml.420
Filesize
130KB

MD5
971626d372e843e06a467e87531980b7

SHA1
afc29ec325c6cffe180db538f1ea37f084b5cc07

SHA256
4869597258a3ae224079a5ff5d841113e544af2403c4911e9c1776d811ba149c

SHA512
796f07f0e93ce9deebe926f6d24f843cf572a0fcf14e156629768d612cb01964fac9cd258e992894556c8bef13c63f0f19de88aa8ccdd6896b45045c66459413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\onenote.exe_Rules.xml.420
Filesize
270KB

MD5
85146fe4b4856a1b57a6172c66bbd2c9

SHA1
6c9bffc717198baad4466b6ac7faf1588de5118e

SHA256
8666046bf445502116e8b34da531e987589159616ddd727fc4623c8f3f0f2fea

SHA512
42561081193f7720810936336fd3dddd1e08e2ca6ae39751f124a8798282eb7972f42acffac320d5d6adec84b747de2ce86117b7117e9675d2338acd2f5667ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml.420
Filesize
333KB

MD5
b2d58c31fa5c5e0610a191cd225ddf8c

SHA1
162d4827ae036ed28d1a32ea1432717278a043fb

SHA256
eca3a52060f14ed8976fd20828d69c0acdd26f7e575d8f5152fdd371329f35ea

SHA512
7382ff2ea0df08e7d65ee254f688c4b2e084f2ac664731f53c0afe2f30e1f1ddcafcc7feda0521cc9d43abf8aaf7164e52bf13782cf5281928398e8d82b9323b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppBlue.png.420
Filesize
5KB

MD5
7ddfa22afa17b213b92a2d706cedb7d4

SHA1
3ce6e66634953a4676609f17dd7c917288151cb7

SHA256
568c811db6c7f33dce5723a3e73934cf7639f6fbffa43f2699ecc471953d083a

SHA512
119b92a454857cedb6707217f2f59d886ba075b5585616343c86708bf78a6e299a34b7d1a66471feaddeb970197be5a0a0cc273044762c69eae1331b1acf5860

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorBlue.png.420
Filesize
7KB

MD5
af406b2f60e1bdc11f38941d4c8ee789

SHA1
c2a5e8544d6d052f31d4be12b56bcc79c7075228

SHA256
f2f3321fae628993beeb9510f3413887be214dd23d438c59ee4fc04ce5577e19

SHA512
06d53eb7a72a654613e6d6c950664fe6dee076f14fa5bf454bceb658e5c02c00f183d82374587e9c3bddac9a7c224db047fbccd51551a29e18feef59e753c492

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorWhite.png.420
Filesize
8KB

MD5
20212b619de20ca8036bcfa143b448a5

SHA1
257258f87b8b35b6269a59f62832d91e978dcda8

SHA256
56567fdd908eb6c58aecf155741eca281ab127131056baba63c25b5882160180

SHA512
e427ae838380b97dd33d4bdd507bacac8788aabd095223d5f73b4ccd341d10aca6eb9b9b1da51adb78666cfe3746e5847e71103464bbc9b55c802777f14593da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppWhite.png.420
Filesize
2KB

MD5
117b11840457bb459a7de042aeaf905c

SHA1
e8ea99d0a748a512e3a6d8b8a3954ec2dfb9f549

SHA256
c82ceb7025d365cb99c623060b4676c4b8c61393818ff5cf48ae51dc5dee4dd5

SHA512
20a3d7c86d4d5388c4a6a2d91067b3d7484e5506422747e77237ad31f53f8af407919f12468975402a9fba1d91e0c2f03f316a2b2224d87e56e87facfb022165

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.png.420
Filesize
10KB

MD5
3bc42eb1eccdfafa617b61474724dac2

SHA1
6a26940a2e23be374d418ec2ec606b50f84bb0a5

SHA256
88cd551ed0c80aea22a7cc6bfb3bf7dcb9f49abc7b7bff007f7532157f1298c1

SHA512
08a12861bb2320022298b5f1707f245671ce8a46766b4700f47a66d6bbeab79285d156ecd6fb32058ebecaf5b8a52691f4a6801177bfc3867f865130e5a2d678

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppBlue.png.420
Filesize
7KB

MD5
79aa301d332168d9ecfba9705dc6f18f

SHA1
f47eb9382e85cf252f7ba4fcaa983e71d9031097

SHA256
90662bf8645df521077b9de4fbb61b355791f2b7638d0250b6b0b21c3b5d418b

SHA512
2819fdb2dd5851bb19455176ef6016ae44789552632cda589ad07c89d54f1c8b91f00f0c060ba83b64946b8973463441eb60f82835d2f4b95ac22a5d2dfc6e78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppWhite.png.420
Filesize
4KB

MD5
3dff36784bd6d115206129782508df22

SHA1
b84b2cd5fa681000cfe543e09e0cd1af0e0e2645

SHA256
2a43eb1ff6700e2111e4737de83ea2af08c9bd2369dbd3253cfd6c2b7d0db60b

SHA512
5c5e2378920f60f91f5f512c04ef63f5b056c03a90be965bcd5c293d7f9b39c9d292ff9f8e037f8aef98d3ceaa7d8bf5545d23713fd24076c2eecf2823ea76df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Error.png.420
Filesize
7KB

MD5
6482ceacd5de556c906e9174ea213ac4

SHA1
9656e3a8e1315f109c3f4cc4d7df5427919ed736

SHA256
8d789177af9a428e3e035d4b574983aa577d227f341b12800d0a4dfebc20c84a

SHA512
8c7dd9b2fd53b38b20f38a1cd79d1c7d63c93f6d50fa12b81856cced8ddba7b840e50dc44a927d56f7553e5b6436d352abfedf5b885328ab65af8992781d8d2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ErrorPage.html.420
Filesize
6KB

MD5
a3a2e4e16aaaa6cca6e15f9c90eb7dfe

SHA1
54e9f7ad2b8e11526c7006dffe24cb2376d546ba

SHA256
5ba1dbcb7f628236eb28138e59539ab100dcb9c6c8dc58970780edc8deee4e6e

SHA512
830788686f299d92dddb14c23b5fe3161d438362a7a235ef74ae3fb6cf6043bf39ecc91cbd4f28c605198b8982326ba38f975f525b4375ed146c8acc642e1b04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMHeroToast.png.420
Filesize
14KB

MD5
c7a6875d4b6bd830b490da8514d4ac8c

SHA1
5cf2cb12dd45468f56c07fdda90066982bb21a41

SHA256
5d0cb829307b1ac8ed6ce598bfdc25a10bcf31fa253d78ff65576472e21c7aa8

SHA512
245b0a07e81f2bab9ea6dad29629059e54d83940dbf90b1caec564733c29230380e25e87f06f48da04ff653236fa46dc168bb6bc65a96e8b20663e432f5f84a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMLockedFileToast.png.420
Filesize
10KB

MD5
ae81ade97d2022bc559f821233eaf251

SHA1
4d2db669aed5219ebd52b0275dfcbee823364006

SHA256
51ef1bccb57ec7f93b6e4e6aaca6234b3d2e1fa7c88af2e3b24b7635bf73ff3b

SHA512
a662848e8eb903f3183c4e6c8d72f7200c6cdbd284c7427652d7ea786de624d330e542ecc0965d9988a1e0dd32756208119ecd3d709ddb6be4f75f1b5451f561

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMScanExclusionToast.png.420
Filesize
10KB

MD5
f5d45c66151be312d7930f8dd76d263c

SHA1
39607f30eab1acb130a6f3bc33826dadc791a3d2

SHA256
886066767cd98f0571bf04e7028232c05e670ba855de71fa9f29c5d217a96bd8

SHA512
719ed3b7fcea5153beb0c7b310b39f249a2b6e043e24bc501435478f5e5fff37b65d0787aad72de377fcfd6ee7f783154ea53da48e513b6d7add850c83d4c492

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\LoadingPage.html.420
Filesize
6KB

MD5
c3588d56a93318f10a1f793601c624dc

SHA1
c86a79454eec483d8af919daa89f11650ca89535

SHA256
80483d2a355989aa4caad3b74ea89a8e7a85af2e693c11ebf968bab3637dd668

SHA512
48079d6cae5d6128fb1ed2531d1df0dabe08fb758edf6091be2d1c745c105062924b15ed23e024d52be0f44bf64d86defc6ca6aca67588749262382a23c94fa6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveLogo.png.420
Filesize
4KB

MD5
2137052f3a4740453eef134d833fe515

SHA1
899afc8803980257f87f68fce70526f44e4681cf

SHA256
b9f30902704f6f64d5f9677182f9021a43e57a03bf72729bcb4d7b4e59f902d2

SHA512
8f39d8c36087f04695360cc7321ed275ef2df6dfa5d5d139551e0096dd4659058165db778d936cfe81e2ee6cf42d672efadf664d0840617c7cc11c42c493463f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaCritical.png.420
Filesize
8KB

MD5
5ac6e918f45de88df57be721161ea6b0

SHA1
99a9798c124b034be5c62013d6b0ca141d1d3562

SHA256
76a0f92020287fd0c32485b054fd08ab0bf8248f3fe3ec7b50455b22ab67ea05

SHA512
932321e9768b216971ec621a2fa884351cca2baef5226e0b5747d0709b851ed09ba3f2d33306a1cd2deb9f4ce4b33227f36bc16468668b7c71b632a974a44c6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaError.png.420
Filesize
9KB

MD5
3add9f876b690d3d8e2960d9a9c94a5b

SHA1
e8c47cc3c90b5ab817be43aedfff0fbbe4011f62

SHA256
cc7ed7956b82eca55f9c4baaf1e4b37bfce9397b859edea361f1b9c3903a6ae8

SHA512
44a4804b2147d40e82b2d408354a0fa733744119e4beb8cca5366a604db87b48fd3a92e1ffdf15664d6dac14b1110af5e1b7df496d54b7c42d8d262ac67b8385

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\alertIcon.png.420
Filesize
720B

MD5
7292c68b20c58e9c78acb05ca8c9d56e

SHA1
e01722906f89a7a3a728c8c385ac9d306bc485ad

SHA256
14cf318ff227a7a73e5441eb91cd513fe134714b58a8b1863495f3abe4ab2f71

SHA512
95c0da6794cee8c658d1f9bed5b303e2b4f861c979b598f69876bd57ddc2e31fd03996ceed01253783bf5f4d8c9fbe303514844633c14f2286f083781099b425

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.VisualElementsManifest.xml.420
Filesize
352B

MD5
83930b510ce271650edd8d5e457fd006

SHA1
9b4a2f832b345311ecd0cc5aa073f4992db964b8

SHA256
ae915fa3382bd04ed86f8b628a2d2c9232c9119e3e02098ea926a4e7f1ae41f3

SHA512
b11219dec88c6018eeb32a53b85516e4400f87a19ca215cdd0523750adbb748728903c3d52f88525ed4cc53827d634502c981e0fad453cef205d0599208970f3

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{7ec85bca-bbb0-41ec-8dd1-40aa1ad30532}\0.1.filtertrie.intermediate.txt.420
Filesize
16B

MD5
e8aaa566651759e399714d464cdfb390

SHA1
373942a3618c8d5ff0ba8aab8e22d4a64e5641ae

SHA256
1a4a61c3ade192d7f35bb5879ba1493ac39369579eaf9f73c72c44a9ecfa3a6a

SHA512
23f835ffc6cfa06b864ee0f945dc844cb88aa1b0ab3cf2d0f8bf616c9a7446a563875ebd04f1b23d86d5a20ccc1a2cacd3e199c228cd73e8652c6f9e34b55ce2

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{7ec85bca-bbb0-41ec-8dd1-40aa1ad30532}\0.2.filtertrie.intermediate.txt.420
Filesize
16B

MD5
209371fb985ae536f7a01b2cbf06fdeb

SHA1
6e5d735e5a6aef442f3342931eaf47d505763578

SHA256
4cef54ede857b123a2b675fdce8147dbcc1a7c4d471ec5bfd8791f9e2ad9c0b3

SHA512
53203c3447837fc04d0114f282e5b1efaeb1e81a90a9d50bd6384bd44823ab70c37f12aca73a52f803ba61a11ed3d7fd05ea04f79fc969212dce946df89b8bbe

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586086489672153.txt.420
Filesize
77KB

MD5
dd56b5f0a861b48dfce9d275bf9087b5

SHA1
17a164cc7fa4488e4a975f85b405ecf9c45e4a29

SHA256
9813caceff5a80f3eaa65fb89f291f49cd1cac4f7e32f49bedec232facf53eae

SHA512
8c5b86ecdfda4d98f8b1b9c69657cd07fd5c87531ae313bb3c7f16fb47097205040e57241a46185aadb61e695266c4cdef959644302da1787ca5c7be12c8fb0f

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586088680666336.txt.420
Filesize
47KB

MD5
007cdeeef4694b382d2a181c27773629

SHA1
74087753dd3baf84c932cdd46a55d25c629d13cc

SHA256
b4fe3e4b415ed5d9b4c345a4c80801ce47b2ea32eba257a6f0634554637f96ef

SHA512
f9865ed1bbff04a4b3c0a63b3803a54c82d81182c6abc0bbc9823a1b464a72525fa091fe7f4f211d1ada2f1f6c4eb6f63461295cf59d7b10337b0b46b88f878b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586095008010161.txt.420
Filesize
66KB

MD5
49decfe81666667c457426ab0aaef75f

SHA1
acc34ab1529ea7dd693f03363c142bdef769a7cd

SHA256
a43dba137e9a0e50daf794f7b2969acd3dd4232f05736aa7112ef57b86216de4

SHA512
bd0dd2daf63f9deddca74b6ee2f36c54efe05f920a33af26b14609850e87f9743169c6f7f5552bd38a3bc5257a29b5fe16950bba31ec1f62d56c5fff3ec5b302

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133587416418758765.txt.420
Filesize
62KB

MD5
fa857eda8e8755189415dbd365022f7f

SHA1
4c99d5630a26cecebe8068b15d3b98e3e686b28a

SHA256
f9cdd6248aea0dbffd41e7b1289044158625d67867fe16a054fe130fac09beb3

SHA512
176f663e422a715c760a8eb587fe7bb2cf673f488c5f3eed2c673261246b0d7aa4c31f9d63e84d0a67011878d8618cb682e4fb4a0347a5b2a5b782cd32286325

Download Submit
C:\Users\Admin\AppData\Local\Temp\BroadcastMsg_1714135627.txt.420
Filesize
16B

MD5
bea21141aa401823a718b5744650822b

SHA1
bbe9cee4379b81dcf6fdf92aff28f2209563ce50

SHA256
57535fe04df416b5a689aa33f01d8e939f1d91fcae25c0c3cf8192baf417b1fe

SHA512
281f779891962273de9f795dea1917044247dbbe427d111b43027c08ad70577aeffbbb6dc8e68cb0013ebd1ce6103e10f1c71c7e144e75df15c76865ed9c9a08

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20240426_124230482.html.420
Filesize
94KB

MD5
c3ecc2ddf16b7666b00a891ede5cc152

SHA1
7a981fcaefc8b9185055a5b7c8f38d1001017966

SHA256
68c6f7bbc7265ca139bbd5caf8f7b45f4c2b04b4d6f3e52254beb2ec79f2b54d

SHA512
a2e4d98f389128268d98f19018ce0b75ecc1bc684d99b37c8f05817899eb693da794e20b707430f4bd26543caa5ed1cca6f2cf580e6e79d5bae6c9a1cfe016d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_imepy315.lx3.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt.420
Filesize
1KB

MD5
8ed44b353218cc17429b974f4b2830a6

SHA1
cc9b4289d4f2e0362071105b3ca118075600911b

SHA256
ae3b52489956580dc188bdc32dc9200ca851d26f4f3a44f37a29d5f6a6b3ea6c

SHA512
70d54c71bccaee19cb9fca1a888add4ff50321561c8d6aa5a8ba50c5691dc6e8a75190e79a1fb10041486f2c8312d0d451c0869d8e8ebccd3869158e9d1fef6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI473A.txt.420
Filesize
428KB

MD5
84eb6cd0654865ed4d41f0408e8484aa

SHA1
bb7f798025c790dac5e85d533263d41881e40688

SHA256
3db8fb89373bb194a09a672d8c39e8bc3eed2be9e7f0a8a8468269d6d16f683c

SHA512
3243061bd1818cfd9c71e5ae8091559bfaf36240dd184ca1352705798af8020d3c47bb738a090ebea3ee95757d071c0862a7882e723dab4edc63ee7641bbd15a

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI475A.txt.420
Filesize
413KB

MD5
cfc870f27f94854ebc2f0d28215bea5f

SHA1
b32826040fd94cb3e2bb9b38aa0e458d8b401c4e

SHA256
8429d66d4c7f7a6f0e551b3c66694c6e363c2489fc260265ff9c7b8c779be68f

SHA512
0fad73b44b665588b8d28d28ccd6777685b93e0fdb648a3bd7772e7d073104dc3d9028bec683f58caf855f8320316af18a2471daf5af45f3758d31e1d40335e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI473A.txt.420
Filesize
11KB

MD5
072f20b95df34ea7765a5c109b8e7126

SHA1
7e508b79f6b06c15bea13f30bed33e5d29ecec95

SHA256
f9cea63d55b51a79e6c69a14067d20ccb3cc5828cd43b26b74cd55c33f066225

SHA512
29ac884781f39bc8a5bc1bd48e407aa78debf84c70585134954f17a51dfbb10c1f096a3dcba8c33a8445f88c9d7d40d9d3a708b15633bee68cf2733e135b1243

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI475A.txt.420
Filesize
11KB

MD5
9e0523ddb78f8d0a0da38087fbf71e27

SHA1
8cbb9e013b58774e557225cff829e02290924828

SHA256
ef0d3e14647c10b43d887fcbfbe22910709526856ed03cd7c994e2f7e6654b82

SHA512
e64f553b676e6bc0f7d63872e22cbe7948fbdd161d299e0e6f98437d3dfef23947b0d57c8d1b30c8b490dc0b2ee2a05211074b518680b58db01b59fff44871d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\jawshtml.html.420
Filesize
16B

MD5
65e115805f15f9cda5eb01e8f742d121

SHA1
e3ecf29bfa71ce07baf8d02009afb8766f35981b

SHA256
7852451b2b252515f369b14bd765135c2e11fee72276b5020e3ed61513c5611a

SHA512
dccbfdd893e5806fa1418e48e0c0c72ec2d1266ee7de48fce34bf3f74bda7e0682e8bf90de53594f34c3d5682c8164d9f6b6ea3977619be8487c2e339faa1ada

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\EncryptedLog.txt.lnk.420
Filesize
592B

MD5
7ed3e406131f6e5a5ee0aa688bcd2c4e

SHA1
2bb01b0874d44c7cc62c19bd1a34970e16108a66

SHA256
7a7d27b7752fd5a6f46fd0dd26a230743107b3809bb88a24a526f37584baac71

SHA512
e0efbb500e362c6d1496061d2a5a6c8ec63cc7299adbbe257eb1cff3fa08e667ca456db7c6cde0c5353483f570947b3ff653259905c2c5883d71343e79b54452

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\New Compressed (zipped) Folder.zip.lnk.420
Filesize
464B

MD5
1676b27ce906d4f0aaaac9f41c30c4a6

SHA1
678e65599aba187b2d1f4f96d2a4b0a32f2c1e4a

SHA256
fe8874e52f9f5f3ed1ca78868c75d065b1557e26f4288ef1d84ef2f47af903b1

SHA512
4bfe3eb0cc0e66475d9461f5e1e3998f2d790bcaacf064d472a809048971d0ce8ddd0e1d85b9cbdbc4044c3445f3d742a3c2b416c9ac6b6f0ef8f8d29bba659f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\New folder.lnk.420
Filesize
512B

MD5
95971807bbc4eefe54a5889e69a5a4ed

SHA1
6458a972105b06074cc16a5e37d97ca1fa7ef6ae

SHA256
d36efaa860210b22c3055b811bf110c37df4988afaeb2a2ae390f2dfcca01e77

SHA512
1110445dc44525f68375b3990f17e364dbfb90139dd0fa3d90c3b2cb3f977c559d9309ede4ec0694e5f69edb4e5cbafd88a0b66b5ed091cab987a889ceb3c32d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg.420
Filesize
51KB

MD5
4927e0cb561d4450afc0b847853f42f2

SHA1
4a3645773d95ed07b59272871f2e88c399adf0dc

SHA256
8ed353d134b8d10b78f61ed8bfc614aacaff504a1d0659be1d245ca97c759384

SHA512
5ec501ba8e731ab4ca7df72887850bd560e65151d03a32be9839948df2f12d38ab921bf3a30fd73e41262925aa1b43ad1b8b9b3eb6e500f82c1985cfb34145c0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg.420
Filesize
51KB

MD5
f14ebdbbc002c8ca15a7b7e139b01b25

SHA1
361c8e0f9e1480937b44cb208b65da4cd85d3d52

SHA256
c4ac4b34f8ac38a53e2eb6f1b35fefc01cd61c9c325e6ddf5f2d54de518515b8

SHA512
a9b2de5fd410db8e58b10fd8b0d854c8c9b191cc4157d38adb07600ee89110665169849d84692a749798db7063de233d837d31f1b0a85b248bad7f32ee4fb269

Download Submit
C:\Users\Admin\Links\Desktop.lnk.420
Filesize
512B

MD5
92aa50871d73ecc8107781504a042f76

SHA1
68d154dfaa6786d24037223bb2614653cd49acaa

SHA256
a3e1cf594513a2eb12f4867607adf6e83561d1323a99e662e7eecff1c36dcab6

SHA512
fcba8005a307f17b04a64d443e68be540c7c9df75493f87c06a0c27be178547053b1103f3bb3e713bf6a4afaf0502bf556d2acefb3ba3344f26afed95b593457

Download Submit
C:\Users\Admin\Links\Downloads.lnk.420
Filesize
944B

MD5
04b6404caa47d1eeeda529d3c771f22a

SHA1
ff41e0336655700d9368e0dbbac5422b2f561658

SHA256
41ee8928e130c1e7178a629c8fd9bb5d60a797b54f5891170654e238181eab23

SHA512
2409342b0128b1496a1bf3fc1e60dff85818fe533ce78fc8f7c641c45dee8721815aeec567a33df41fd56aaf91d20dd985a42ecfc347bda566ed421efe8a5da8

Download Submit
C:\Windows\System32\Seven.dll
Filesize
1.0MB

MD5
0100b1a1310434310d135c6554806dfa

SHA1
bc63f87a2f9d6cfd9aa4f83c5a79fd74d56bfdff

SHA256
aae0ad17f594e9c7bbe0f1968f015d695adda95c59c5f8503a931dc344a45043

SHA512
20fb5a09f4423ba1a1a0c4fe75fee44740bb0acb67debbf7828f03d3da8d8de4d1404e5c5f69961dd365f22069476b522e04209200eb6b5f3e5241557f18c67c

Download Submit
C:\Windows\System32\Seven.runtimeconfig.json
Filesize
340B

MD5
253333997e82f7d44ea8072dfae6db39

SHA1
03b9744e89327431a619505a7c72fd497783d884

SHA256
28329cf08f6505e73806b17558b187c02f0c1c516fe47ebfb7a013d082aaa306

SHA512
56d99039e0fb6305588e9f87361e7e0d5051507bf321ba36619c4d29741f35c27c62f025a52523c9e1c7287aabf1533444330a8cdf840fa5af0fa2241fcb4fc2

Download Submit
C:\Windows\System32\SevenCopy.exe
Filesize
139KB

MD5
6503f847c3281ff85b304fc674b62580

SHA1
947536e0741c085f37557b7328b067ef97cb1a61

SHA256
afd7657f941024ef69ca34d1e61e640c5523b19b0fad4dcb1c9f1b01a6fa166f

SHA512
abc3b32a1cd7d0a60dd7354a9fcdff0bc37ec8a20bb2a8258353716d820f62d343c6ba9385ba893be0cca981bbb9ab4e189ccfeee6dd77cc0dc723e975532174

Download Submit
memory/2916-9-0x000001E1449A0000-0x000001E1449C2000-memory.dmp

Filesize
136KB

Download
memory/2916-16-0x00007FFFB7EE0000-0x00007FFFB89A1000-memory.dmp

Filesize
10.8MB

Download
memory/2916-15-0x000001E15CF60000-0x000001E15D17C000-memory.dmp

Filesize
2.1MB

Download
memory/2916-10-0x00007FFFB7EE0000-0x00007FFFB89A1000-memory.dmp

Filesize
10.8MB

Download
memory/2916-12-0x000001E1430C0000-0x000001E1430D0000-memory.dmp

Filesize
64KB

Download
memory/2916-11-0x000001E1430C0000-0x000001E1430D0000-memory.dmp

Filesize
64KB

Download
memory/17288-455-0x00007FF72F4C0000-0x00007FF72F527000-memory.dmp

Filesize
412KB

Download
memory/17592-454-0x00007FF72F4C0000-0x00007FF72F527000-memory.dmp

Filesize
412KB

Download
memory/18196-452-0x00007FF72F4C0000-0x00007FF72F527000-memory.dmp

Filesize
412KB

Download
memory/18240-451-0x00007FF72F4C0000-0x00007FF72F527000-memory.dmp

Filesize
412KB

Download
memory/18284-453-0x00007FF72F4C0000-0x00007FF72F527000-memory.dmp

Filesize
412KB

Download
memory/18348-450-0x00007FF72F4C0000-0x00007FF72F527000-memory.dmp

Filesize
412KB

Download