4a26b4e2ea0c03dd3fe8d39701b05edbe69a0ef622b3c294deb7e2f023a2ef3f

Analysis

max time kernel
131s
max time network
55s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 07:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Seven.exe
Size

139KB
MD5

6503f847c3281ff85b304fc674b62580
SHA1

947536e0741c085f37557b7328b067ef97cb1a61
SHA256

afd7657f941024ef69ca34d1e61e640c5523b19b0fad4dcb1c9f1b01a6fa166f
SHA512

abc3b32a1cd7d0a60dd7354a9fcdff0bc37ec8a20bb2a8258353716d820f62d343c6ba9385ba893be0cca981bbb9ab4e189ccfeee6dd77cc0dc723e975532174
SSDEEP

3072:miS4omp03WQthI/9S3BZi08iRQ1G78IVn27bSfcJd8lto:miS4ompB9S3BZi0a1G78IVhcTct

Score

10^/10

evasion spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

Seven.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Seven.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Seven.exe

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

Seven.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua = "1"	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "1"	Seven.exe

Blocks application from running via registry modification 1 IoCs
Adds application to list of disallowed applications.
evasion

Processes:

Seven.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" Seven.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	Seven.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

Seven.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Seven.exe

Disables Task Manager via registry modification
evasion

Disables cmd.exe use via registry modification 1 IoCs

evasion

Processes:

Seven.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Seven.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exeSevenCopy.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	SevenCopy.exe

Deletes itself 1 IoCs

Processes:

SevenCopy.exe

pid process

4540 SevenCopy.exe

Executes dropped EXE 64 IoCs

Processes:

pid	process
4540	SevenCopy.exe
12792	SevenCopy.exe
8320	SevenCopy.exe
4356	SevenCopy.exe
2212	SevenCopy.exe
14192	SevenCopy.exe
14516	SevenCopy.exe
15396	SevenCopy.exe
8136	SevenCopy.exe
6300	SevenCopy.exe
10656	SevenCopy.exe
15500	SevenCopy.exe
7732	SevenCopy.exe
7828	SevenCopy.exe
6148	SevenCopy.exe
7084	SevenCopy.exe
15216	SevenCopy.exe
15612	SevenCopy.exe
14840	SevenCopy.exe
10400	SevenCopy.exe
10348	SevenCopy.exe
16316	SevenCopy.exe
5492	SevenCopy.exe
11456	SevenCopy.exe
7124	SevenCopy.exe
7728	SevenCopy.exe
5868	SevenCopy.exe
6152	SevenCopy.exe
9736	SevenCopy.exe
7276	SevenCopy.exe
6496	SevenCopy.exe
15772	SevenCopy.exe
16060	SevenCopy.exe
15076	SevenCopy.exe
11552	SevenCopy.exe
16000	SevenCopy.exe
15240	SevenCopy.exe
2120	SevenCopy.exe
13776	SevenCopy.exe
9600	SevenCopy.exe
12320	SevenCopy.exe
16364	SevenCopy.exe
1920	SevenCopy.exe
8868	SevenCopy.exe
16264	SevenCopy.exe
2828	SevenCopy.exe
10036	SevenCopy.exe
11228	SevenCopy.exe
15712	SevenCopy.exe
4728	SevenCopy.exe
16704	SevenCopy.exe
8344	SevenCopy.exe
17472	SevenCopy.exe
12248	SevenCopy.exe
17480	SevenCopy.exe
15784	SevenCopy.exe
16048	SevenCopy.exe
17228	SevenCopy.exe
16796	SevenCopy.exe
10184	SevenCopy.exe
10032	SevenCopy.exe
5960	SevenCopy.exe
9184	SevenCopy.exe
7184	SevenCopy.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

Seven.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" Seven.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	Seven.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

Seven.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua = "1"	Seven.exe

Drops desktop.ini file(s) 7 IoCs

Processes:

SevenCopy.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	SevenCopy.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	SevenCopy.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	SevenCopy.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	SevenCopy.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	SevenCopy.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	SevenCopy.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	SevenCopy.exe

Drops file in System32 directory 64 IoCs

Processes:

description	ioc	process
File created	C:\Windows\system32\KeyAndIV.txt	SevenCopy.exe
File created	C:\Windows\system32\KeyAndIV.txt	SevenCopy.exe
File created	C:\Windows\system32\EncryptedLog.txt	SevenCopy.exe
File created	C:\Windows\system32\KeyAndIV.txt	SevenCopy.exe
File created	C:\Windows\system32\KeyAndIV.txt	SevenCopy.exe
File created	C:\Windows\system32\KeyAndIV.txt	SevenCopy.exe
File created	C:\Windows\system32\EncryptedLog.txt	SevenCopy.exe
File created	C:\Windows\system32\KeyAndIV.txt	SevenCopy.exe
File created	C:\Windows\system32\EncryptedLog.txt	SevenCopy.exe
File created	C:\Windows\system32\KeyAndIV.txt	SevenCopy.exe
File created	C:\Windows\system32\KeyAndIV.txt	SevenCopy.exe
File created	C:\Windows\system32\EncryptedLog.txt	SevenCopy.exe
File created	C:\Windows\system32\KeyAndIV.txt	SevenCopy.exe
File created	C:\Windows\system32\EncryptedLog.txt	SevenCopy.exe
File created	C:\Windows\system32\EncryptedLog.txt	SevenCopy.exe
File created	C:\Windows\system32\EncryptedLog.txt	SevenCopy.exe
File created	C:\Windows\system32\KeyAndIV.txt	SevenCopy.exe
File created	C:\Windows\system32\EncryptedLog.txt	SevenCopy.exe
File created	C:\Windows\system32\KeyAndIV.txt	SevenCopy.exe
File created	C:\Windows\system32\EncryptedLog.txt	SevenCopy.exe
File created	C:\Windows\system32\EncryptedLog.txt	SevenCopy.exe
File created	C:\Windows\system32\EncryptedLog.txt	SevenCopy.exe
File created	C:\Windows\system32\EncryptedLog.txt
File created	C:\Windows\system32\EncryptedLog.txt	SevenCopy.exe
File created	C:\Windows\system32\EncryptedLog.txt	SevenCopy.exe
File created	C:\Windows\system32\EncryptedLog.txt	SevenCopy.exe
File created	C:\Windows\system32\EncryptedLog.txt	SevenCopy.exe
File created	C:\Windows\system32\KeyAndIV.txt	SevenCopy.exe
File created	C:\Windows\system32\EncryptedLog.txt	SevenCopy.exe
File created	C:\Windows\system32\KeyAndIV.txt	SevenCopy.exe
File created	C:\Windows\system32\EncryptedLog.txt	SevenCopy.exe
File created	C:\Windows\system32\EncryptedLog.txt	SevenCopy.exe
File created	C:\Windows\system32\KeyAndIV.txt	SevenCopy.exe
File created	C:\Windows\system32\EncryptedLog.txt	SevenCopy.exe
File created	C:\Windows\system32\EncryptedLog.txt	SevenCopy.exe
File created	C:\Windows\system32\KeyAndIV.txt	SevenCopy.exe
File created	C:\Windows\system32\EncryptedLog.txt	SevenCopy.exe
File created	C:\Windows\system32\KeyAndIV.txt	SevenCopy.exe
File created	C:\Windows\system32\KeyAndIV.txt	SevenCopy.exe
File created	C:\Windows\system32\KeyAndIV.txt	SevenCopy.exe
File created	C:\Windows\system32\EncryptedLog.txt	SevenCopy.exe
File created	C:\Windows\system32\KeyAndIV.txt	SevenCopy.exe
File created	C:\Windows\system32\EncryptedLog.txt	SevenCopy.exe
File created	C:\Windows\system32\EncryptedLog.txt	SevenCopy.exe
File created	C:\Windows\system32\EncryptedLog.txt	SevenCopy.exe
File created	C:\Windows\system32\KeyAndIV.txt	SevenCopy.exe
File created	C:\Windows\system32\KeyAndIV.txt	SevenCopy.exe
File created	C:\Windows\system32\EncryptedLog.txt	SevenCopy.exe
File created	C:\Windows\system32\KeyAndIV.txt	SevenCopy.exe
File created	C:\Windows\system32\KeyAndIV.txt	SevenCopy.exe
File created	C:\Windows\system32\EncryptedLog.txt	SevenCopy.exe
File created	C:\Windows\system32\KeyAndIV.txt	SevenCopy.exe
File created	C:\Windows\system32\EncryptedLog.txt	SevenCopy.exe
File created	C:\Windows\system32\KeyAndIV.txt	SevenCopy.exe
File created	C:\Windows\system32\KeyAndIV.txt	SevenCopy.exe
File created	C:\Windows\system32\EncryptedLog.txt	SevenCopy.exe
File created	C:\Windows\system32\EncryptedLog.txt	SevenCopy.exe
File created	C:\Windows\system32\EncryptedLog.txt	SevenCopy.exe
File created	C:\Windows\system32\KeyAndIV.txt	SevenCopy.exe
File created	C:\Windows\system32\EncryptedLog.txt	SevenCopy.exe
File created	C:\Windows\system32\KeyAndIV.txt	SevenCopy.exe
File created	C:\Windows\system32\EncryptedLog.txt	SevenCopy.exe
File created	C:\Windows\system32\KeyAndIV.txt	SevenCopy.exe
File created	C:\Windows\system32\EncryptedLog.txt

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

4048 powershell.exe
4048 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 4048 powershell.exe

pid	process
4048	powershell.exe
4048	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4048	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Seven.execmd.execmd.execmd.exeSevenCopy.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 712 wrote to memory of 4048	712	Seven.exe	powershell.exe
PID 712 wrote to memory of 4048	712	Seven.exe	powershell.exe
PID 712 wrote to memory of 3444	712	Seven.exe	cmd.exe
PID 712 wrote to memory of 3444	712	Seven.exe	cmd.exe
PID 712 wrote to memory of 1368	712	Seven.exe	cmd.exe
PID 712 wrote to memory of 1368	712	Seven.exe	cmd.exe
PID 712 wrote to memory of 2540	712	Seven.exe	cmd.exe
PID 712 wrote to memory of 2540	712	Seven.exe	cmd.exe
PID 712 wrote to memory of 3760	712	Seven.exe	cmd.exe
PID 712 wrote to memory of 3760	712	Seven.exe	cmd.exe
PID 712 wrote to memory of 4976	712	Seven.exe	cmd.exe
PID 712 wrote to memory of 4976	712	Seven.exe	cmd.exe
PID 712 wrote to memory of 4452	712	Seven.exe	cmd.exe
PID 712 wrote to memory of 4452	712	Seven.exe	cmd.exe
PID 712 wrote to memory of 1996	712	Seven.exe	cmd.exe
PID 712 wrote to memory of 1996	712	Seven.exe	cmd.exe
PID 4452 wrote to memory of 4448	4452	cmd.exe	attrib.exe
PID 4452 wrote to memory of 4448	4452	cmd.exe	attrib.exe
PID 2540 wrote to memory of 4460	2540	cmd.exe	attrib.exe
PID 2540 wrote to memory of 4460	2540	cmd.exe	attrib.exe
PID 1996 wrote to memory of 4544	1996	cmd.exe	attrib.exe
PID 1996 wrote to memory of 4544	1996	cmd.exe	attrib.exe
PID 712 wrote to memory of 4540	712	Seven.exe	SevenCopy.exe
PID 712 wrote to memory of 4540	712	Seven.exe	SevenCopy.exe
PID 4540 wrote to memory of 2444	4540	SevenCopy.exe	cmd.exe
PID 4540 wrote to memory of 2444	4540	SevenCopy.exe	cmd.exe
PID 4540 wrote to memory of 3604	4540	SevenCopy.exe	cmd.exe
PID 4540 wrote to memory of 3604	4540	SevenCopy.exe	cmd.exe
PID 4540 wrote to memory of 4512	4540	SevenCopy.exe	cmd.exe
PID 4540 wrote to memory of 4512	4540	SevenCopy.exe	cmd.exe
PID 4540 wrote to memory of 1340	4540	SevenCopy.exe	cmd.exe
PID 4540 wrote to memory of 1340	4540	SevenCopy.exe	cmd.exe
PID 4540 wrote to memory of 3772	4540	SevenCopy.exe	cmd.exe
PID 4540 wrote to memory of 3772	4540	SevenCopy.exe	cmd.exe
PID 4540 wrote to memory of 2032	4540	SevenCopy.exe	cmd.exe
PID 4540 wrote to memory of 2032	4540	SevenCopy.exe	cmd.exe
PID 4540 wrote to memory of 1332	4540	SevenCopy.exe	cmd.exe
PID 4540 wrote to memory of 1332	4540	SevenCopy.exe	cmd.exe
PID 4540 wrote to memory of 2040	4540	SevenCopy.exe	cmd.exe
PID 4540 wrote to memory of 2040	4540	SevenCopy.exe	cmd.exe
PID 4540 wrote to memory of 2692	4540	SevenCopy.exe	cmd.exe
PID 4540 wrote to memory of 2692	4540	SevenCopy.exe	cmd.exe
PID 4540 wrote to memory of 4700	4540	SevenCopy.exe	cmd.exe
PID 4540 wrote to memory of 4700	4540	SevenCopy.exe	cmd.exe
PID 4540 wrote to memory of 1988	4540	SevenCopy.exe	cmd.exe
PID 4540 wrote to memory of 1988	4540	SevenCopy.exe	cmd.exe
PID 4540 wrote to memory of 2672	4540	SevenCopy.exe	cmd.exe
PID 4540 wrote to memory of 2672	4540	SevenCopy.exe	cmd.exe
PID 4540 wrote to memory of 1928	4540	SevenCopy.exe	cmd.exe
PID 4540 wrote to memory of 1928	4540	SevenCopy.exe	cmd.exe
PID 4540 wrote to memory of 1296	4540	SevenCopy.exe	cmd.exe
PID 4540 wrote to memory of 1296	4540	SevenCopy.exe	cmd.exe
PID 4540 wrote to memory of 1028	4540	SevenCopy.exe	cmd.exe
PID 4540 wrote to memory of 1028	4540	SevenCopy.exe	cmd.exe
PID 4540 wrote to memory of 4140	4540	SevenCopy.exe	cmd.exe
PID 4540 wrote to memory of 4140	4540	SevenCopy.exe	cmd.exe
PID 4512 wrote to memory of 3052	4512	cmd.exe	choice.exe
PID 4512 wrote to memory of 3052	4512	cmd.exe	choice.exe
PID 1332 wrote to memory of 1468	1332	cmd.exe	choice.exe
PID 1332 wrote to memory of 1468	1332	cmd.exe	choice.exe
PID 1340 wrote to memory of 4968	1340	cmd.exe	cmd.exe
PID 1340 wrote to memory of 4968	1340	cmd.exe	cmd.exe
PID 2444 wrote to memory of 5028	2444	cmd.exe	Conhost.exe
PID 2444 wrote to memory of 5028	2444	cmd.exe	Conhost.exe

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

Processes:

Seven.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua = "1"	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "1"	Seven.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Views/modifies file attributes 1 TTPs 3 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exe

pid process

4448 attrib.exe
4544 attrib.exe
4460 attrib.exe

pid	process
4448	attrib.exe
4544	attrib.exe
4460	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Seven.exe
"C:\Users\Admin\AppData\Local\Temp\Seven.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- System policy modification
PID:712

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4048

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.exe C:\Users\Admin\AppData\Local\Temp\SevenCopy.exe
2⤵
PID:3444

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.exe C:\Windows\System32\SevenCopy.exe
2⤵
PID:1368

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C attrib +h C:\Windows\System32\SevenCopy.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2540

C:\Windows\system32\attrib.exe
attrib +h C:\Windows\System32\SevenCopy.exe
3⤵
- Views/modifies file attributes
PID:4460

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.dll C:\Windows\System32\Seven.dll
2⤵
PID:3760

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.runtimeconfig.json C:\Windows\System32\Seven.runtimeconfig.json
2⤵
PID:4976

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C attrib +h C:\Windows\System32\Seven.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:4452

C:\Windows\system32\attrib.exe
attrib +h C:\Windows\System32\Seven.dll
3⤵
- Views/modifies file attributes
PID:4448

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /C attrib +h C:\Windows\System32\Seven.runtimeconfig.json
2⤵
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\system32\attrib.exe
attrib +h C:\Windows\System32\Seven.runtimeconfig.json
3⤵
- Views/modifies file attributes
PID:4544

C:\Users\Admin\AppData\Local\Temp\SevenCopy.exe
"C:\Users\Admin\AppData\Local\Temp\SevenCopy.exe"
2⤵
- Deletes itself
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious use of WriteProcessMemory
PID:4540

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2010_x64.log-MSI_vc_red.msi.txt"
3⤵
- Suspicious use of WriteProcessMemory
PID:2444

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:5028

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2010_x64.log.html"
3⤵
PID:3604

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:1812

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2010_x86.log-MSI_vc_red.msi.txt"
3⤵
- Suspicious use of WriteProcessMemory
PID:4512

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:3052

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2010_x86.log.html"
3⤵
- Suspicious use of WriteProcessMemory
PID:1340

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:4968

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log"
3⤵
PID:3772

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:3140

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log"
3⤵
PID:2032

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:2976

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2012_x86_0_vcRuntimeMinimum_x86.log"
3⤵
- Suspicious use of WriteProcessMemory
PID:1332

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:1468

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2012_x86_1_vcRuntimeAdditional_x86.log"
3⤵
PID:2040

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:4368

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log"
3⤵
PID:2692

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:3192

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log"
3⤵
PID:4700

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:3724

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2013_x86_000_vcRuntimeMinimum_x86.log"
3⤵
PID:1988

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:1764

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2013_x86_001_vcRuntimeAdditional_x86.log"
3⤵
PID:2672

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:3148

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2022_x64_000_vcRuntimeMinimum_x64.log"
3⤵
PID:1928

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:428

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2022_x64_001_vcRuntimeAdditional_x64.log"
3⤵
PID:1296

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:4472

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2022_x86_000_vcRuntimeMinimum_x86.log"
3⤵
PID:1028

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:2240

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2022_x86_001_vcRuntimeAdditional_x86.log"
3⤵
PID:4140

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:4064

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Desktop\CopyStop.odt"
3⤵
PID:2872

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:7600

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Desktop\Microsoft Edge.lnk"
3⤵
PID:4696

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:6928

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\Are.docx"
3⤵
PID:2788

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:9268

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\ConnectWatch.xml"
3⤵
PID:2812

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:9488

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\DebugBackup.csv"
3⤵
PID:552

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:10800

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\DebugSuspend.pdf"
3⤵
PID:2340

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:10832

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\ExitComplete.txt"
3⤵
PID:5008

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:11868

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\Files.docx"
3⤵
PID:4348

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:10912

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\FindJoin.xls"
3⤵
PID:4000

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:10892

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\ImportPush.ppt"
3⤵
PID:3184

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:10876

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\NewConvertFrom.pdf"
3⤵
PID:5016

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:11104

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\Opened.docx"
3⤵
PID:3632

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:10864

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\Recently.docx"
3⤵
PID:640

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:11416

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\RepairPop.odt"
3⤵
PID:4448

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:11364

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\ResizeSwitch.docx"
3⤵
PID:1908

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:10920

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\SelectUpdate.xls"
3⤵
PID:4932

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:10728

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\StepSet.html"
3⤵
PID:3256

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:11112

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\These.docx"
3⤵
PID:4044

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:11128

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\UndoRename.docx"
3⤵
PID:3584

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:10524

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Downloads\ApproveDeny.asp"
3⤵
PID:2212

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:11188

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Downloads\ResolveImport.txt"
3⤵
PID:1484

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:7872

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Downloads\SubmitWait.doc"
3⤵
PID:3832

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:11380

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Links\Desktop.lnk"
3⤵
PID:2936

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:11148

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Links\Downloads.lnk"
3⤵
PID:1544

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:11140

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Music\MoveStep.php"
3⤵
PID:4892

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:10552

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Music\UnlockPublish.bmp"
3⤵
PID:3984

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:11428

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Pictures\ConvertAdd.bmp"
3⤵
PID:5152

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:13876

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Pictures\GrantSplit.png"
3⤵
PID:5168

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:11096

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Pictures\MountSearch.jpg"
3⤵
PID:5180

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:14432

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Pictures\My Wallpaper.jpg"
3⤵
PID:5192

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:14440

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Pictures\RegisterStep.jpg"
3⤵
PID:5368

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:14000

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Pictures\ResolveRename.jpg"
3⤵
PID:5392

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:12504

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Pictures\SendCompress.jpg"
3⤵
PID:5412

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:13864

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Pictures\SwitchStep.bmp"
3⤵
PID:5424

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:14376

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\AddConvert.jpg"
3⤵
PID:5544

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:14512

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\MergeSync.xls"
3⤵
PID:5612

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:14644

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\SaveFind.png"
3⤵
PID:5624

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:14720

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\SubmitStart.lnk"
3⤵
PID:5636

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:14688

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\SyncRevoke.xml"
3⤵
PID:5648

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:14612

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\UnlockLock.xlsx"
3⤵
PID:5660

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:13892

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BroadcastMsg_1713510821.txt"
3⤵
PID:5672

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:14852

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt"
3⤵
PID:5688

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:14672

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI24F4.txt"
3⤵
PID:5728

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:14448

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI2518.txt"
3⤵
PID:5780

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:14760

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI24F4.txt"
3⤵
PID:5800

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:14460

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI2518.txt"
3⤵
PID:5812

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:14584

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\jawshtml.html"
3⤵
PID:5844

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:14564

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\mapping.csv"
3⤵
PID:5860

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15316

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20240419_070859354.html"
3⤵
PID:5872

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15144

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt"
3⤵
PID:5884

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:14828

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.VisualElementsManifest.xml"
3⤵
PID:5896

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15172

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt"
3⤵
PID:5908

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15104

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml"
3⤵
PID:5920

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15088

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml"
3⤵
PID:5932

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15164

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\msoia.exe_Rules.xml"
3⤵
PID:5944

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:14696

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\office2016setup.exe_Rules.xml"
3⤵
PID:5956

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15072

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml"
3⤵
PID:5968

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15244

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\onenote.exe_Rules.xml"
3⤵
PID:5980

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15056

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml"
3⤵
PID:6004

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:14500

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\alertIcon.png"
3⤵
PID:6016

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:14736

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppBlue.png"
3⤵
PID:6028

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:14844

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorBlue.png"
3⤵
PID:6040

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:14916

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorWhite.png"
3⤵
PID:6052

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:14968

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppWhite.png"
3⤵
PID:6064

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:14652

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.png"
3⤵
PID:6076

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:14860

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppBlue.png"
3⤵
PID:6088

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:14704

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppWhite.png"
3⤵
PID:6100

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15040

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Error.png"
3⤵
PID:6112

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:14412

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ErrorPage.html"
3⤵
PID:6124

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15016

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMHeroToast.png"
3⤵
PID:6136

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15000

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMLockedFileToast.png"
3⤵
PID:3080

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15308

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMScanExclusionToast.png"
3⤵
PID:2716

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:14680

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\LoadingPage.html"
3⤵
PID:5176

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:14572

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveLogo.png"
3⤵
PID:5268

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15236

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaCritical.png"
3⤵
PID:6240

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:14820

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaError.png"
3⤵
PID:6252

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15332

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaNearing.png"
3⤵
PID:6264

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15080

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\TestSharePage.html"
3⤵
PID:6276

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:14812

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ThirdPartyNotices.txt"
3⤵
PID:6288

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15300

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Warning.png"
3⤵
PID:6308

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:14836

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-100.png"
3⤵
PID:6320

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:14752

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-125.png"
3⤵
PID:6332

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:14908

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-150.png"
3⤵
PID:6344

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15064

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-200.png"
3⤵
PID:6372

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:14976

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-400.png"
3⤵
PID:6388

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:14988

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-100.png"
3⤵
PID:6408

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:14940

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-125.png"
3⤵
PID:6432

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15208

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-150.png"
3⤵
PID:6460

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:14876

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-200.png"
3⤵
PID:6484

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15204

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-400.png"
3⤵
PID:6504

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15008

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-100.png"
3⤵
PID:6520

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15324

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-125.png"
3⤵
PID:6540

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15112

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-150.png"
3⤵
PID:6560

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15220

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-200.png"
3⤵
PID:6580

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15096

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-400.png"
3⤵
PID:6608

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:3960

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-100.png"
3⤵
PID:6628

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:3500

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-125.png"
3⤵
PID:6660

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15152

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-150.png"
3⤵
PID:6676

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:14960

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-200.png"
3⤵
PID:6696

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:14420

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png"
3⤵
PID:6708

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15228

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-100.png"
3⤵
PID:6720

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:3788

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-125.png"
3⤵
PID:7148

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:4664

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-150.png"
3⤵
PID:6624

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:4676

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-200.png"
3⤵
PID:6692

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:3948

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-400.png"
3⤵
PID:6444

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:3820

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-100.png"
3⤵
PID:6152

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15276

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-125.png"
3⤵
PID:7180

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:3680

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-150.png"
3⤵
PID:7196

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:1296

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-200.png"
3⤵
PID:7212

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15284

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-400.png"
3⤵
PID:7224

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:1736

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\Shell\DefaultLayouts.xml"
3⤵
PID:7236

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15252

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk"
3⤵
PID:7252

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:1696

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk"
3⤵
PID:7264

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:3896

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk"
3⤵
PID:7276

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15184

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk"
3⤵
PID:7288

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:4308

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Are.docx.lnk"
3⤵
PID:7300

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15344

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Files.docx.lnk"
3⤵
PID:7316

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:14456

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Opened.docx.lnk"
3⤵
PID:7328

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:1068

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Recently.docx.lnk"
3⤵
PID:7340

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:4296

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\These.docx.lnk"
3⤵
PID:7356

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15352

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Fax Recipient.lnk"
3⤵
PID:7368

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:2404

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk"
3⤵
PID:7380

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15120

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\images\blurrect.png"
3⤵
PID:7392

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:4424

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\1 - Desktop.lnk"
3⤵
PID:7408

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:14728

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\1 - Run.lnk"
3⤵
PID:7420

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:972

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\2 - Search.lnk"
3⤵
PID:7436

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15292

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\3 - Windows Explorer.lnk"
3⤵
PID:7448

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:448

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\4 - Control Panel.lnk"
3⤵
PID:7464

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15268

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\5 - Task Manager.lnk"
3⤵
PID:7476

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:14932

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\01 - Command Prompt.lnk"
3⤵
PID:7488

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15128

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\01a - Windows PowerShell.lnk"
3⤵
PID:7500

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:4716

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\02 - Command Prompt.lnk"
3⤵
PID:7516

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:2924

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\02a - Windows PowerShell.lnk"
3⤵
PID:7528

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:216

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\03 - Computer Management.lnk"
3⤵
PID:7540

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:4456

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\04 - Disk Management.lnk"
3⤵
PID:7552

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:3592

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\04-1 - NetworkStatus.lnk"
3⤵
PID:7568

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:13812

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\05 - Device Manager.lnk"
3⤵
PID:7580

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:3304

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\06 - SystemAbout.lnk"
3⤵
PID:7592

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:2772

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\07 - Event Viewer.lnk"
3⤵
PID:7604

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15680

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\08 - PowerAndSleep.lnk"
3⤵
PID:7620

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:712

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\09 - Mobility Center.lnk"
3⤵
PID:7632

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:14900

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\10 - AppsAndFeatures.lnk"
3⤵
PID:7644

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:2736

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579837245521736.txt"
3⤵
PID:7656

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:3768

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579837928247116.txt"
3⤵
PID:7672

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15748

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579838254684814.txt"
3⤵
PID:7684

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:1144

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579838451029087.txt"
3⤵
PID:7700

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15260

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579838515694078.txt"
3⤵
PID:8004

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:2500

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579838567180292.txt"
3⤵
PID:8036

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:4100

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579838750839126.txt"
3⤵
PID:8064

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15716

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579838812679810.txt"
3⤵
PID:8088

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:14924

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579838854958362.txt"
3⤵
PID:8104

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:4680

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579839873338736.txt"
3⤵
PID:8140

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:4736

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579840507559806.txt"
3⤵
PID:8164

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15860

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579844022702774.txt"
3⤵
PID:6420

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15764

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579844322952340.txt"
3⤵
PID:6640

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:2140

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579844624250116.txt"
3⤵
PID:7176

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15504

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579844979319796.txt"
3⤵
PID:8376

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:4052

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579845400670849.txt"
3⤵
PID:8404

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:2980

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579845577900100.txt"
3⤵
PID:8432

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:4428

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579847200385598.txt"
3⤵
PID:8456

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:3400

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579847499992299.txt"
3⤵
PID:8548

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15708

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579847800283963.txt"
3⤵
PID:8584

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:4972

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579848100459721.txt"
3⤵
PID:8596

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:1576

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579848894597947.txt"
3⤵
PID:8608

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:2040

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579887868586853.txt"
3⤵
PID:9012

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:2912

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\SettingsCache.txt"
3⤵
PID:8372

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:1928

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk"
3⤵
PID:7868

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15544

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
3⤵
PID:7916

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:2828

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\k6zex9vv.default-release\pkcs11.txt"
3⤵
PID:7296

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15400

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\I50YRZD3\update100[1].xml"
3⤵
PID:8060

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:1356

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\X2NSSXLH\known_providers_download_v1[1].xml"
3⤵
PID:8160

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:4928

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\squaretile.png"
3⤵
PID:5608

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:14636

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\tinytile.png"
3⤵
PID:8424

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15740

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\squaretile.png"
3⤵
PID:6592

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16048

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\tinytile.png"
3⤵
PID:9568

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16156

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\squaretile.png"
3⤵
PID:9600

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:14952

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\tinytile.png"
3⤵
PID:9876

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16392

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\7603651830\squaretile.png"
3⤵
PID:9904

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15756

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\7603651830\tinytile.png"
3⤵
PID:9920

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15672

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{2ebe6a11-de91-4077-996f-4f928bc5976b}\0.0.filtertrie.intermediate.txt"
3⤵
PID:9932

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15732

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{2ebe6a11-de91-4077-996f-4f928bc5976b}\0.1.filtertrie.intermediate.txt"
3⤵
PID:9944

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16060

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{2ebe6a11-de91-4077-996f-4f928bc5976b}\0.2.filtertrie.intermediate.txt"
3⤵
PID:9960

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15916

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{39cbc589-0e9f-4643-9bd1-14b1344aa8da}\0.0.filtertrie.intermediate.txt"
3⤵
PID:9988

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15808

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{39cbc589-0e9f-4643-9bd1-14b1344aa8da}\0.1.filtertrie.intermediate.txt"
3⤵
PID:10004

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15792

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{39cbc589-0e9f-4643-9bd1-14b1344aa8da}\0.2.filtertrie.intermediate.txt"
3⤵
PID:10024

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16560

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{f6a3bdb4-87ea-4b27-a81d-ba59c547355c}\0.0.filtertrie.intermediate.txt"
3⤵
PID:10040

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15924

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{f6a3bdb4-87ea-4b27-a81d-ba59c547355c}\0.1.filtertrie.intermediate.txt"
3⤵
PID:10056

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15888

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{f6a3bdb4-87ea-4b27-a81d-ba59c547355c}\0.2.filtertrie.intermediate.txt"
3⤵
PID:10068

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16200

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{c8c8a0c5-5b6a-469a-ad55-8725a0448738}\appsconversions.txt"
3⤵
PID:10080

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15724

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{c8c8a0c5-5b6a-469a-ad55-8725a0448738}\appsglobals.txt"
3⤵
PID:10092

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15836

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{c8c8a0c5-5b6a-469a-ad55-8725a0448738}\appssynonyms.txt"
3⤵
PID:10104

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16584

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{c8c8a0c5-5b6a-469a-ad55-8725a0448738}\settingsconversions.txt"
3⤵
PID:10124

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16448

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{c8c8a0c5-5b6a-469a-ad55-8725a0448738}\settingsglobals.txt"
3⤵
PID:10136

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15936

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{c8c8a0c5-5b6a-469a-ad55-8725a0448738}\settingssynonyms.txt"
3⤵
PID:9072

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15512

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{3ca7e305-e169-4803-b267-dc38483a5382}\0.0.filtertrie.intermediate.txt"
3⤵
PID:10248

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16256

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{3ca7e305-e169-4803-b267-dc38483a5382}\0.1.filtertrie.intermediate.txt"
3⤵
PID:10276

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15900

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{3ca7e305-e169-4803-b267-dc38483a5382}\0.2.filtertrie.intermediate.txt"
3⤵
PID:10288

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16068

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{fadcd841-1261-4517-ac09-1289a2098b6f}\0.0.filtertrie.intermediate.txt"
3⤵
PID:10320

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15868

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{fadcd841-1261-4517-ac09-1289a2098b6f}\0.1.filtertrie.intermediate.txt"
3⤵
PID:10584

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15796

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{fadcd841-1261-4517-ac09-1289a2098b6f}\0.2.filtertrie.intermediate.txt"
3⤵
PID:10636

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16380

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\File Explorer.lnk"
3⤵
PID:10672

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16516

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Firefox.lnk"
3⤵
PID:10696

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16592

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk"
3⤵
PID:10708

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16172

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk"
3⤵
PID:10720

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16336

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Magnify.lnk"
3⤵
PID:10744

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16400

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Narrator.lnk"
3⤵
PID:10756

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16464

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\On-Screen Keyboard.lnk"
3⤵
PID:10768

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15700

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk"
3⤵
PID:10792

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16600

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Administrative Tools.lnk"
3⤵
PID:10812

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16248

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Command Prompt.lnk"
3⤵
PID:10824

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16528

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\computer.lnk"
3⤵
PID:10844

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15908

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Control Panel.lnk"
3⤵
PID:10856

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16264

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk"
3⤵
PID:10884

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16016

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Run.lnk"
3⤵
PID:10904

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15784

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell (x86).lnk"
3⤵
PID:10944

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16456

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk"
3⤵
PID:10956

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16032

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.76.1_0\128.png"
3⤵
PID:10968

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16164

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.76.1_0\offscreendocument.html"
3⤵
PID:10984

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16240

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\EGU4Q1MN\microsoft.windows[1].xml"
3⤵
PID:11304

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16656

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\RGTD1OIS\www.bing[1].xml"
3⤵
PID:11632

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16364

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\craw_window.html"
3⤵
PID:11648

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16888

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\icon_128.png"
3⤵
PID:11672

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16408

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\icon_16.png"
3⤵
PID:11688

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16372

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\topbar_floating_button.png"
3⤵
PID:11700

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16864

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\topbar_floating_button_close.png"
3⤵
PID:11712

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16812

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\topbar_floating_button_hover.png"
3⤵
PID:11724

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16628

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\topbar_floating_button_maximize.png"
3⤵
PID:11736

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16416

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\topbar_floating_button_pressed.png"
3⤵
PID:11748

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:17152

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\128.png"
3⤵
PID:11764

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15448

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\192.png"
3⤵
PID:11776

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16140

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\256.png"
3⤵
PID:11796

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16184

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\32.png"
3⤵
PID:11812

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16148

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\48.png"
3⤵
PID:11824

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16356

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\64.png"
3⤵
PID:11840

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16024

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\96.png"
3⤵
PID:11856

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16576

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\128.png"
3⤵
PID:11880

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16872

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\192.png"
3⤵
PID:12160

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16484

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\256.png"
3⤵
PID:12172

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16504

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\32.png"
3⤵
PID:11896

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16848

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\48.png"
3⤵
PID:12304

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16648

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\64.png"
3⤵
PID:12320

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16820

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\96.png"
3⤵
PID:12336

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16796

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\128.png"
3⤵
PID:12348

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16788

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\192.png"
3⤵
PID:12364

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:17160

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\256.png"
3⤵
PID:12692

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16880

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\32.png"
3⤵
PID:12712

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16916

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\48.png"
3⤵
PID:13012

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:17028

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\64.png"
3⤵
PID:13028

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:17112

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\96.png"
3⤵
PID:13048

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:3192

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:17252

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\128.png"
3⤵
PID:13084

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16924

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\192.png"
3⤵
PID:13124

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16804

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\256.png"
3⤵
PID:13152

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:3140

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16856

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\32.png"
3⤵
PID:13260

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:17308

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\48.png"
3⤵
PID:13280

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:5028

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16780

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\64.png"
3⤵
PID:13300

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:17300

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\96.png"
3⤵
PID:11904

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:17208

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\128.png"
3⤵
PID:12008

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:17128

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\192.png"
3⤵
PID:11696

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:17260

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\256.png"
3⤵
PID:11744

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:17240

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\32.png"
3⤵
PID:11808

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:15048

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\48.png"
3⤵
PID:4332

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:16760

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\64.png"
3⤵
PID:12344

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:17120

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\96.png"
3⤵
PID:1812

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:17036

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\128.png"
3⤵
PID:2240

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:17136

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\192.png"
3⤵
PID:4968

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:17508

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\256.png"
3⤵
PID:13324

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:17340

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\32.png"
3⤵
PID:13336

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:17320

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\48.png"
3⤵
PID:13356

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:17228

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\64.png"
3⤵
PID:13368

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:17168

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\96.png"
3⤵
PID:13380

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:17220

C:\Users\Admin\AppData\Local\Temp\SevenCopy.exe
"C:\Users\Admin\AppData\Local\Temp\SevenCopy.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
PID:12792

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Links\Desktop.lnk"
4⤵
PID:17788

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:1484

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Links\Downloads.lnk"
4⤵
PID:17804

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:17756

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\AddConvert.jpg"
4⤵
PID:17820

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:18416

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\MergeSync.xls"
4⤵
PID:17836

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\SaveFind.png"
4⤵
PID:17852

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:17772

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\SubmitStart.lnk"
4⤵
PID:17868

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:18360

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\SyncRevoke.xml"
4⤵
PID:17972

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\UnlockLock.xlsx"
4⤵
PID:17992

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:17900

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BroadcastMsg_1713510821.txt"
4⤵
PID:18048

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt"
4⤵
PID:18064

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI24F4.txt"
4⤵
PID:18120

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI2518.txt"
4⤵
PID:18140

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:5820

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI24F4.txt"
4⤵
PID:18156

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI2518.txt"
4⤵
PID:18216

C:\Windows\SYSTEM32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\jawshtml.html"
4⤵
PID:18256

C:\Windows\System32\SevenCopy.exe
C:\Windows\System32\SevenCopy.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:8320

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133587628639622458.txt"
2⤵
PID:12328

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
3⤵
PID:2420

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133587628922397332.txt"
2⤵
PID:11152

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
3⤵
PID:5284

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
2⤵
PID:12744

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
3⤵
PID:4072

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{aaad6daa-26aa-412d-a1ba-edd7e1f70dd2}\0.0.filtertrie.intermediate.txt"
2⤵
PID:1832

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
3⤵
PID:11872

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{aaad6daa-26aa-412d-a1ba-edd7e1f70dd2}\0.1.filtertrie.intermediate.txt"
2⤵
PID:1684

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
3⤵
PID:5252

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{aaad6daa-26aa-412d-a1ba-edd7e1f70dd2}\0.2.filtertrie.intermediate.txt"
2⤵
PID:5388

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
3⤵
PID:5008

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
2⤵
- Executes dropped EXE
PID:4356

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133587628639622458.txt"
3⤵
PID:428

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:5456

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133587628922397332.txt"
3⤵
PID:10868

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:11472

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
3⤵
PID:1352

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:5764

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{aaad6daa-26aa-412d-a1ba-edd7e1f70dd2}\0.0.filtertrie.intermediate.txt"
3⤵
PID:4652

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:6688

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{aaad6daa-26aa-412d-a1ba-edd7e1f70dd2}\0.1.filtertrie.intermediate.txt"
3⤵
PID:5384

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:5436

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{aaad6daa-26aa-412d-a1ba-edd7e1f70dd2}\0.2.filtertrie.intermediate.txt"
3⤵
PID:10524

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:4040

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:2212

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133587628639622458.txt"
4⤵
PID:11432

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:6116

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133587628922397332.txt"
4⤵
PID:1536

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:6112

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
4⤵
PID:640

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:5184

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{aaad6daa-26aa-412d-a1ba-edd7e1f70dd2}\0.0.filtertrie.intermediate.txt"
4⤵
PID:4112

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:9792

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{aaad6daa-26aa-412d-a1ba-edd7e1f70dd2}\0.1.filtertrie.intermediate.txt"
4⤵
PID:14452

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:2692

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{aaad6daa-26aa-412d-a1ba-edd7e1f70dd2}\0.2.filtertrie.intermediate.txt"
4⤵
PID:8800

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:15052

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
4⤵
- Executes dropped EXE
PID:14192

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133587628639622458.txt"
5⤵
PID:11820

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
6⤵
PID:5544

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133587628922397332.txt"
5⤵
PID:4176

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
6⤵
PID:15696

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
5⤵
PID:14156

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
6⤵
PID:9632

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{aaad6daa-26aa-412d-a1ba-edd7e1f70dd2}\0.0.filtertrie.intermediate.txt"
5⤵
PID:6004

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
6⤵
PID:13884

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{aaad6daa-26aa-412d-a1ba-edd7e1f70dd2}\0.1.filtertrie.intermediate.txt"
5⤵
PID:10232

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
6⤵
PID:8128

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{aaad6daa-26aa-412d-a1ba-edd7e1f70dd2}\0.2.filtertrie.intermediate.txt"
5⤵
PID:14808

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
6⤵
PID:10172

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
5⤵
- Executes dropped EXE
PID:14516

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133587628639622458.txt"
6⤵
PID:4744

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
7⤵
PID:5632

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133587628922397332.txt"
6⤵
PID:9344

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
7⤵
PID:6236

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
6⤵
PID:14444

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
7⤵
PID:15272

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{aaad6daa-26aa-412d-a1ba-edd7e1f70dd2}\0.0.filtertrie.intermediate.txt"
6⤵
PID:15340

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
7⤵
PID:1524

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{aaad6daa-26aa-412d-a1ba-edd7e1f70dd2}\0.1.filtertrie.intermediate.txt"
6⤵
PID:7428

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
7⤵
PID:4984

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{aaad6daa-26aa-412d-a1ba-edd7e1f70dd2}\0.2.filtertrie.intermediate.txt"
6⤵
PID:6360

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
7⤵
PID:4540

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
6⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:15396

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133587628639622458.txt"
7⤵
PID:11992

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
8⤵
PID:6336

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133587628922397332.txt"
7⤵
PID:10684

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
8⤵
PID:14708

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
7⤵
PID:10632

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
8⤵
PID:15356

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{aaad6daa-26aa-412d-a1ba-edd7e1f70dd2}\0.0.filtertrie.intermediate.txt"
7⤵
PID:8856

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
8⤵
PID:14972

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{aaad6daa-26aa-412d-a1ba-edd7e1f70dd2}\0.1.filtertrie.intermediate.txt"
7⤵
PID:12896

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
8⤵
PID:14652

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{aaad6daa-26aa-412d-a1ba-edd7e1f70dd2}\0.2.filtertrie.intermediate.txt"
7⤵
PID:8988

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
8⤵
PID:15996

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
7⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:8136

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133587628639622458.txt"
8⤵
PID:4736

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
9⤵
PID:11208

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133587628922397332.txt"
8⤵
PID:15352

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
9⤵
PID:8400

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
8⤵
PID:14676

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
9⤵
PID:8952

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{aaad6daa-26aa-412d-a1ba-edd7e1f70dd2}\0.0.filtertrie.intermediate.txt"
8⤵
PID:4172

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
9⤵
PID:10168

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{aaad6daa-26aa-412d-a1ba-edd7e1f70dd2}\0.1.filtertrie.intermediate.txt"
8⤵
PID:9440

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
9⤵
PID:8656

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{aaad6daa-26aa-412d-a1ba-edd7e1f70dd2}\0.2.filtertrie.intermediate.txt"
8⤵
PID:14720

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
9⤵
PID:6940

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
8⤵
- Checks computer location settings
- Executes dropped EXE
PID:6300

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133587628639622458.txt"
9⤵
PID:10352

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
10⤵
PID:10020

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133587628922397332.txt"
9⤵
PID:9120

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
10⤵
PID:15380

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
9⤵
PID:8448

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
10⤵
PID:10688

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{aaad6daa-26aa-412d-a1ba-edd7e1f70dd2}\0.0.filtertrie.intermediate.txt"
9⤵
PID:6752

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
10⤵
PID:8264

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{aaad6daa-26aa-412d-a1ba-edd7e1f70dd2}\0.1.filtertrie.intermediate.txt"
9⤵
PID:4816

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
10⤵
PID:8696

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{aaad6daa-26aa-412d-a1ba-edd7e1f70dd2}\0.2.filtertrie.intermediate.txt"
9⤵
PID:6180

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
10⤵
PID:8268

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
9⤵
- Executes dropped EXE
PID:10656

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133587628639622458.txt"
10⤵
PID:14852

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
11⤵
PID:14612

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133587628922397332.txt"
10⤵
PID:14940

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
11⤵
PID:15232

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
10⤵
PID:6548

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
11⤵
PID:15472

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{aaad6daa-26aa-412d-a1ba-edd7e1f70dd2}\0.0.filtertrie.intermediate.txt"
10⤵
PID:6580

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
11⤵
PID:13216

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{aaad6daa-26aa-412d-a1ba-edd7e1f70dd2}\0.1.filtertrie.intermediate.txt"
10⤵
PID:8980

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
11⤵
PID:6128

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{aaad6daa-26aa-412d-a1ba-edd7e1f70dd2}\0.2.filtertrie.intermediate.txt"
10⤵
PID:14880

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
11⤵
PID:9332

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
10⤵
- Checks computer location settings
- Executes dropped EXE
PID:15500

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{aaad6daa-26aa-412d-a1ba-edd7e1f70dd2}\0.1.filtertrie.intermediate.txt"
11⤵
PID:6468

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
12⤵
PID:6388

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{aaad6daa-26aa-412d-a1ba-edd7e1f70dd2}\0.2.filtertrie.intermediate.txt"
11⤵
PID:5652

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
12⤵
PID:6444

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
11⤵
- Executes dropped EXE
PID:7732

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
12⤵
- Checks computer location settings
- Executes dropped EXE
PID:7828

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
13⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:6148

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
14⤵
- Executes dropped EXE
PID:7084

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
15⤵
- Checks computer location settings
- Executes dropped EXE
PID:15216

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
16⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:15612

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
17⤵
- Executes dropped EXE
PID:14840

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
18⤵
- Executes dropped EXE
PID:10400

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
19⤵
- Executes dropped EXE
PID:10348

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
20⤵
- Checks computer location settings
- Executes dropped EXE
PID:16316

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
21⤵
PID:15688

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
22⤵
PID:9592

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
21⤵
- Executes dropped EXE
PID:5492

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
22⤵
- Executes dropped EXE
PID:11456

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
23⤵
- Executes dropped EXE
PID:7124

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:7728

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
25⤵
- Executes dropped EXE
PID:5868

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
26⤵
- Executes dropped EXE
PID:6152

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
27⤵
- Executes dropped EXE
PID:9736

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
28⤵
- Executes dropped EXE
PID:7276

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
29⤵
- Checks computer location settings
- Executes dropped EXE
PID:6496

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
30⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:15772

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
31⤵
- Executes dropped EXE
PID:16060

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
32⤵
- Checks computer location settings
- Executes dropped EXE
PID:15076

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
33⤵
- Checks computer location settings
- Executes dropped EXE
PID:11552

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
34⤵
- Checks computer location settings
- Executes dropped EXE
PID:16000

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
35⤵
- Executes dropped EXE
PID:15240

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
36⤵
- Checks computer location settings
- Executes dropped EXE
PID:2120

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
37⤵
- Executes dropped EXE
PID:13776

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
38⤵
- Checks computer location settings
- Executes dropped EXE
PID:9600

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
39⤵
- Executes dropped EXE
PID:12320

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
40⤵
- Executes dropped EXE
PID:16364

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
41⤵
- Executes dropped EXE
PID:1920

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
42⤵
- Executes dropped EXE
PID:8868

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
43⤵
- Executes dropped EXE
PID:16264

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
44⤵
- Executes dropped EXE
PID:2828

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
45⤵
- Executes dropped EXE
PID:10036

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:11228

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
47⤵
- Executes dropped EXE
PID:15712

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
48⤵
- Executes dropped EXE
PID:4728

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
49⤵
- Executes dropped EXE
PID:16704

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
50⤵
- Executes dropped EXE
PID:8344

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
51⤵
- Executes dropped EXE
PID:17472

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
52⤵
- Executes dropped EXE
PID:12248

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
53⤵
- Executes dropped EXE
PID:17480

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
54⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:15784

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:16048

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
56⤵
- Executes dropped EXE
PID:17228

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
57⤵
- Executes dropped EXE
PID:16796

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
58⤵
- Executes dropped EXE
PID:10184

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
59⤵
- Executes dropped EXE
PID:10032

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
60⤵
- Executes dropped EXE
PID:5960

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
61⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:9184

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
62⤵
- Executes dropped EXE
PID:7184

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
63⤵
PID:15516

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
64⤵
- Drops file in System32 directory
PID:7976

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
65⤵
PID:16748

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
66⤵
PID:13908

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
67⤵
PID:17012

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
68⤵
PID:16028

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
69⤵
- Drops file in System32 directory
PID:9180

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
70⤵
- Checks computer location settings
PID:10248

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
71⤵
- Checks computer location settings
PID:10668

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
72⤵
- Drops file in System32 directory
PID:14532

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
73⤵
- Checks computer location settings
PID:17636

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
74⤵
PID:17660

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
75⤵
PID:17744

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
76⤵
PID:13520

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
77⤵
- Drops file in System32 directory
PID:11860

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
78⤵
PID:11720

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
79⤵
PID:16024

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
80⤵
- Checks computer location settings
PID:9256

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
81⤵
- Checks computer location settings
PID:9472

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
82⤵
- Drops file in System32 directory
PID:6396

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
83⤵
PID:9296

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
84⤵
- Drops file in System32 directory
PID:13032

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
85⤵
- Drops file in System32 directory
PID:12388

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
86⤵
- Drops file in System32 directory
PID:13988

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
87⤵
PID:13824

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
88⤵
- Checks computer location settings
PID:11652

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
89⤵
- Drops file in System32 directory
PID:11740

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
90⤵
- Checks computer location settings
PID:11704

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
91⤵
- Drops file in System32 directory
PID:13052

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
92⤵
- Checks computer location settings
PID:14540

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
93⤵
PID:11588

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
94⤵
- Drops file in System32 directory
PID:10492

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
95⤵
PID:11272

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
96⤵
PID:13896

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
97⤵
- Checks computer location settings
PID:12108

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
98⤵
PID:14316

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
99⤵
PID:10068

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
100⤵
PID:14292

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
101⤵
PID:10620

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
102⤵
PID:12920

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
103⤵
PID:13724

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
104⤵
- Drops file in System32 directory
PID:14232

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
105⤵
- Drops file in System32 directory
PID:10280

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
106⤵
PID:10276

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
107⤵
PID:8560

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
108⤵
PID:11608

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
109⤵
- Checks computer location settings
PID:14632

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
110⤵
- Drops file in System32 directory
PID:7332

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
111⤵
PID:5072

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
112⤵
PID:11728

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
113⤵
PID:13764

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
114⤵
PID:12160

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
115⤵
PID:13800

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
116⤵
PID:11300

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
117⤵
- Drops file in System32 directory
PID:12348

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
118⤵
- Checks computer location settings
PID:13448

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
119⤵
- Drops file in System32 directory
PID:14372

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
120⤵
PID:12240

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
121⤵
PID:9984

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
122⤵
PID:17772

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
123⤵
- Checks computer location settings
PID:17944

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
124⤵
PID:17912

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
125⤵
- Drops file in System32 directory
PID:4672

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
126⤵
PID:2156

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
127⤵
- Checks computer location settings
PID:17876

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
128⤵
PID:18248

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
129⤵
PID:2656

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
130⤵
- Checks computer location settings
PID:3532

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
131⤵
PID:18288

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
132⤵
PID:9268

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
133⤵
- Checks computer location settings
PID:1472

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
134⤵
- Checks computer location settings
PID:5016

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
135⤵
PID:2288

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
136⤵
PID:13848

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
137⤵
- Checks computer location settings
PID:14744

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
138⤵
PID:7876

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
139⤵
- Drops file in System32 directory
PID:4528

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
140⤵
- Checks computer location settings
- Drops file in System32 directory
PID:6000

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
141⤵
PID:5548

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
142⤵
- Checks computer location settings
PID:5616

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
143⤵
PID:1892

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
144⤵
- Checks computer location settings
PID:6964

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
145⤵
- Checks computer location settings
PID:8820

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
146⤵
PID:9768

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
147⤵
PID:8080

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
148⤵
- Drops file in System32 directory
PID:8888

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
149⤵
PID:5680

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
150⤵
PID:7512

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
151⤵
- Checks computer location settings
- Drops file in System32 directory
PID:4976

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
152⤵
- Drops file in System32 directory
PID:2332

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
153⤵
PID:5720

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
154⤵
PID:14056

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
155⤵
- Checks computer location settings
PID:7160

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
156⤵
PID:2452

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
157⤵
PID:7188

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
158⤵
- Checks computer location settings
PID:7432

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
159⤵
PID:6952

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
160⤵
- Drops file in System32 directory
PID:5452

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
161⤵
PID:1588

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
162⤵
PID:5580

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
163⤵
- Checks computer location settings
- Drops file in System32 directory
PID:5392

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
164⤵
- Drops file in System32 directory
PID:18220

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
165⤵
PID:15532

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
166⤵
PID:8020

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
167⤵
PID:15780

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
168⤵
PID:15648

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
169⤵
- Checks computer location settings
- Drops file in System32 directory
PID:15408

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
170⤵
PID:15656

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
171⤵
- Checks computer location settings
PID:1080

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
172⤵
PID:15616

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
173⤵
PID:8692

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
174⤵
- Drops file in System32 directory
PID:6684

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
175⤵
PID:6996

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
176⤵
PID:3312

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
177⤵
- Checks computer location settings
- Drops file in System32 directory
PID:16120

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
178⤵
PID:10632

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
179⤵
- Drops file in System32 directory
PID:1428

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
180⤵
PID:8180

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
181⤵
- Checks computer location settings
PID:14460

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
182⤵
PID:5740

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
183⤵
- Checks computer location settings
PID:8368

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
184⤵
PID:9064

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
185⤵
PID:6056

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
186⤵
PID:11220

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
187⤵
- Drops file in System32 directory
PID:10688

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
188⤵
- Drops file in System32 directory
PID:7480

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
189⤵
PID:8448

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
190⤵
PID:6796

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
191⤵
PID:5896

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
192⤵
PID:11176

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
193⤵
- Drops file in System32 directory
PID:12904

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
194⤵
PID:6988

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
195⤵
- Drops file in System32 directory
PID:16620

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
196⤵
PID:4140

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
197⤵
- Drops file in System32 directory
PID:6388

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
198⤵
PID:8752

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
199⤵
- Drops file in System32 directory
PID:9364

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
200⤵
PID:9504

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
201⤵
- Checks computer location settings
PID:7140

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
202⤵
PID:8296

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
203⤵
PID:5644

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
204⤵
PID:15564

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
205⤵
PID:2980

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
206⤵
- Drops file in System32 directory
PID:2112

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
207⤵
PID:11716

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
208⤵
- Drops file in System32 directory
PID:15968

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
209⤵
PID:9196

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
210⤵
PID:12324

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
211⤵
PID:4240

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
212⤵
- Drops file in System32 directory
PID:10316

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
213⤵
PID:7940

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
214⤵
- Drops file in System32 directory
PID:15976

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
215⤵
- Checks computer location settings
PID:10196

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
216⤵
PID:8744

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
217⤵
- Checks computer location settings
PID:15236

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
218⤵
- Checks computer location settings
PID:6104

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
219⤵
PID:16760

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
220⤵
- Drops file in System32 directory
PID:8360

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
221⤵
- Checks computer location settings
- Drops file in System32 directory
PID:16244

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
222⤵
- Checks computer location settings
- Drops file in System32 directory
PID:5352

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
223⤵
PID:12460

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
224⤵
PID:17520

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
225⤵
PID:2772

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
226⤵
PID:16836

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
227⤵
PID:17548

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
228⤵
- Drops file in System32 directory
PID:12152

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
229⤵
PID:17208

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
230⤵
PID:16164

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
231⤵
- Drops file in System32 directory
PID:9468

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
232⤵
PID:7912

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
233⤵
PID:6348

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
234⤵
PID:8396

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
235⤵
PID:3504

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
236⤵
PID:13872

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
237⤵
PID:14264

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
238⤵
PID:17104

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
239⤵
PID:17324

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
240⤵
- Checks computer location settings
PID:7448

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
241⤵
- Checks computer location settings
PID:1068

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
242⤵
PID:12464

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
243⤵
- Checks computer location settings
PID:14772

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
244⤵
- Checks computer location settings
PID:16956

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
245⤵
- Checks computer location settings
PID:17184

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
246⤵
- Drops file in System32 directory
PID:17740

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
247⤵
- Drops file in System32 directory
PID:14308

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
248⤵
- Drops file in System32 directory
PID:14004

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
249⤵
- Checks computer location settings
PID:9728

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
250⤵
PID:17320

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
251⤵
PID:16600

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
252⤵
PID:12692

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
253⤵
PID:9012

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
254⤵
PID:11032

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
255⤵
PID:8052

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
256⤵
PID:12708

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
257⤵
PID:12112

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
256⤵
PID:13920

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
257⤵
PID:9068

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
258⤵
PID:14132

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
257⤵
PID:4332

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
258⤵
PID:14204

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
259⤵
PID:13636

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
258⤵
PID:1872

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
259⤵
PID:4168

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
260⤵
PID:5068

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
259⤵
PID:11324

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
260⤵
PID:13204

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
261⤵
PID:13212

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
260⤵
PID:4576

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
261⤵
PID:14508

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
262⤵
PID:13100

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
261⤵
PID:12912

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
262⤵
PID:11504

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
263⤵
PID:10492

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
262⤵
- Drops file in System32 directory
PID:12340

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
263⤵
PID:3020

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
264⤵
PID:9260

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
263⤵
- Checks computer location settings
PID:2644

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
264⤵
PID:10968

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
265⤵
PID:11924

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
264⤵
PID:13280

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
265⤵
PID:8836

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
266⤵
PID:14316

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
265⤵
PID:3724

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
266⤵
PID:10408

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
267⤵
PID:12644

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
266⤵
PID:12952

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
267⤵
PID:11848

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
268⤵
PID:13936

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
267⤵
PID:12236

C:\Windows\System32\cmd.exe
"cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
268⤵
PID:540

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
269⤵
PID:11568

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
268⤵
PID:9896

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
269⤵
- Drops file in System32 directory
PID:11392

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
270⤵
PID:13704

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
271⤵
PID:14312

C:\Windows\System32\SevenCopy.exe
"C:\Windows\System32\SevenCopy.exe"
272⤵
- Checks computer location settings
PID:11340

C:\Windows\System32\SevenCopy.exe
C:\Windows\System32\SevenCopy.exe
1⤵
PID:8364

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{aaad6daa-26aa-412d-a1ba-edd7e1f70dd2}\0.0.filtertrie.intermediate.txt.420
Filesize
28KB

MD5
4d4cba128b55392ff16ac4d714eb061b

SHA1
0435a26a1627cc57338c613e2937eb96cd1cc6a0

SHA256
2b911c21a0ae0d5e87c6acde84bbf9eae05d652fb91aede87be7f30526f87216

SHA512
317b30bc1fea6edae7776e54fac3c8ab1d457bc0d07690e33ef54302b5bf812dc00d98377e303b21997f55d6bc78fc42864321ae0470daff634ebeec86481f30

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{aaad6daa-26aa-412d-a1ba-edd7e1f70dd2}\0.1.filtertrie.intermediate.txt.420
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{fadcd841-1261-4517-ac09-1289a2098b6f}\0.1.filtertrie.intermediate.txt.420
Filesize
16B

MD5
e8aaa566651759e399714d464cdfb390

SHA1
373942a3618c8d5ff0ba8aab8e22d4a64e5641ae

SHA256
1a4a61c3ade192d7f35bb5879ba1493ac39369579eaf9f73c72c44a9ecfa3a6a

SHA512
23f835ffc6cfa06b864ee0f945dc844cb88aa1b0ab3cf2d0f8bf616c9a7446a563875ebd04f1b23d86d5a20ccc1a2cacd3e199c228cd73e8652c6f9e34b55ce2

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{fadcd841-1261-4517-ac09-1289a2098b6f}\0.2.filtertrie.intermediate.txt.420
Filesize
16B

MD5
209371fb985ae536f7a01b2cbf06fdeb

SHA1
6e5d735e5a6aef442f3342931eaf47d505763578

SHA256
4cef54ede857b123a2b675fdce8147dbcc1a7c4d471ec5bfd8791f9e2ad9c0b3

SHA512
53203c3447837fc04d0114f282e5b1efaeb1e81a90a9d50bd6384bd44823ab70c37f12aca73a52f803ba61a11ed3d7fd05ea04f79fc969212dce946df89b8bbe

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579838515694078.txt.420
Filesize
77KB

MD5
ccd6899680ab969cf8307cf47dd4f4e8

SHA1
2c59cfa65c4365a9296dae439358d8642ae6f3c0

SHA256
017f27ce648318c3d6f3e763bef01ae0375d1d606865a9b442d97ac7db4a0f74

SHA512
6e3f92ad5bc44810d0db428e05aeb5d174bf7b0d0546dba679ecb5e5afdb8e37b13c32101ced5f3f39690642d78be556f77d11ac4509e7ffb5b07930e79cd001

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579839873338736.txt.420
Filesize
47KB

MD5
a1a3feea7a332f9e97a62bc975eb8016

SHA1
1b28c0cf1ab5c10eb4cf0bad4618f213dd793ff7

SHA256
d4fee481ae945c46b3093d6d0b13c48453915d8ee8adc8b8acef0b551bced32b

SHA512
7539948701264c387a24768cb7d7c8e006f9cf7a64bce07c5f5eea84ec05e02d08d1c8e7c422185781cbea06139960259584116dec63ccc667ae91f76801a5c3

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579847200385598.txt.420
Filesize
66KB

MD5
4a90573d4e1350bb3cb06a825fbd66de

SHA1
3f3ce3606d802cd06dda067fa2a07dfa745c90df

SHA256
5a74f880421a86087c44f74e3c105c9ec4fd4b1eae138984644c3d51d3e55242

SHA512
b09feba996e833c149a309cb45f56e79998cbdeb7fce71c15ef99a1615468aa62fd4c9b1cf3a4f802c27558a75db4c0885f84d65b1fdee979abde314d07c208c

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133587628639622458.txt.420
Filesize
75KB

MD5
f8986559f15db3a6c0812096578ed41e

SHA1
54d7afa68254af0873ae6537812dcaffaebb391e

SHA256
a72f3d9014b8f543f2d3a998961442e542f5336093ac36ba14b72be59b3d2195

SHA512
cbaf9208e832504f710be8515d8c56aeb282ca91adc9d0a01134096a1da90a6d574228acb31db265ebc3e701f4e869461c420e4bb606014e4a57a4a75dc90e55

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133587628922397332.txt.420
Filesize
62KB

MD5
eddd87ee089591cd1781db7f06ebb1d1

SHA1
a897b6df5b26c7d20d70691821c2f14dc1bb16d9

SHA256
df9cc88044e44ec23e60c22b361f5c27ee21f3354f6791f782fdf5e2bd03c95c

SHA512
c510df837d8486a4ed19f20bf38cb135df53f5aad9377c1056422ffd40d3900f1ff666431e86734e7d338256498ab8d8739da802f3f8a9ae101af8a851772da1

Download Submit
C:\Users\Admin\AppData\Local\Temp\BroadcastMsg_1713510821.txt.420
Filesize
16B

MD5
bea21141aa401823a718b5744650822b

SHA1
bbe9cee4379b81dcf6fdf92aff28f2209563ce50

SHA256
57535fe04df416b5a689aa33f01d8e939f1d91fcae25c0c3cf8192baf417b1fe

SHA512
281f779891962273de9f795dea1917044247dbbe427d111b43027c08ad70577aeffbbb6dc8e68cb0013ebd1ce6103e10f1c71c7e144e75df15c76865ed9c9a08

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hpyt3m1c.yug.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt.420
Filesize
1KB

MD5
dbc7a8218c16705748a9f0abb1711a76

SHA1
f76ed933f76be6940bd470f4aa00fba2aaf08059

SHA256
7e6e586af05429750bac45f004ec76999a2adcdd08de57212af74f9d40b920ff

SHA512
27f123e87022e075591315761701173c133dee12ef585793728bb6f1c18a146bd86ad863cfb309bef75f20441bd99d790617b822e165dbca6ba7a6802ec2337b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI24F4.txt.420
Filesize
425KB

MD5
d116fcd3fcc53294617524b9dc84ff4f

SHA1
bb407dbb07257583e5511210e59eac6391199e4d

SHA256
d2e7d9b74c1449f93eba21a7dc00b2d29a8501e9b4dfcca0f2b8ebe8a039139b

SHA512
645fb4db5fd881ff244be07b69030a62d29dbadc513bb58849dd31e795bcc6c1fbc9f2fd23ed1103be624ec1c6672d7f87bd06e76c550d5f352735df8a847118

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI2518.txt.420
Filesize
414KB

MD5
e6d76d4039f03788513848cb57902cdb

SHA1
e027bf96897bf437b012d908ac72c0078279008a

SHA256
2285db0731068a093e0d5b21627b2ef35de3fda7173b4a0e460959a142152fc3

SHA512
31485316342f21b6c9be0e1abd0fdcac3425d81a2867c4c36e9a0929a53303bc60ba918b9c8c42b26dee35f0cb97679f2849fca75ccb1d6a275f214e73f627ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI24F4.txt.420
Filesize
11KB

MD5
230720f79c3ec6eadf281d2b85547cb9

SHA1
55ba593d39452ad413f4d1f7feeabe7a81509d4b

SHA256
e0dd22564aba8f4141dc1b78e01b375c7649913f473956e842305ce7c33e1e39

SHA512
8d879e79876a992544d01d9d95b2395602b62da078210f55c5f8764c9f62bc95e37e19a8a9d8246d8d6718db5cfa4ed5a2a03c80afe17fc0ec6aa0f39d916e73

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI2518.txt.420
Filesize
11KB

MD5
d0c7671caa72857b53bbc08962303ee7

SHA1
e1f08c7dceec54cd6536bc4c9f8829c91877b22f

SHA256
f4675970a606f1d1c20134976eed53beb18dae8a22324d817052b83c4e7af00d

SHA512
caddedd314af4b25e318ea6f775812125d39456ec0df35ed85064aa08f1ce602fd26e7846a78238bf79e0607958694d8596d896c66fa46bf98183bb7e76e8fdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\jawshtml.html.420
Filesize
16B

MD5
65e115805f15f9cda5eb01e8f742d121

SHA1
e3ecf29bfa71ce07baf8d02009afb8766f35981b

SHA256
7852451b2b252515f369b14bd765135c2e11fee72276b5020e3ed61513c5611a

SHA512
dccbfdd893e5806fa1418e48e0c0c72ec2d1266ee7de48fce34bf3f74bda7e0682e8bf90de53594f34c3d5682c8164d9f6b6ea3977619be8487c2e339faa1ada

Download Submit
C:\Users\Admin\AppData\Local\Temp\mapping.csv.420
Filesize
120KB

MD5
42c12f9e321e00ee8f2ec180e7863e24

SHA1
8d32c5df1057f7d040c919fbea6af11a274d2374

SHA256
63f8f0d578669353be78d86d0173e8f49202fd56f88d36bbefcae31b55d9ac8a

SHA512
c917ed0f9013642a6fe7968315d8454db9173b75e54184449682f75d8e5c02bdc77895e08e15eeb595de6811c09c5fbe0b85982e664223e28d351d2dd10225b2

Download Submit
C:\Users\Admin\AppData\Roaming\AddConvert.jpg.420
Filesize
154KB

MD5
010de34c4bbb3663a66267e72f1572fb

SHA1
347950e58903cf75c77c979eaefc19525cf55cf8

SHA256
9a62e32c84d8dc14d37362f0a0278d6115eee45ed1c2780d0bc7e72f28dd6a8d

SHA512
e8b9a99106ad3f91da0fcef9d3f3c455e7ccdd52385cc4c37d6c68cfdc8e8d0ffe0ae03a937be2f023604df3546ef8bd0bbdda47a4bfdda127ac1fcce3e2860b

Download Submit
C:\Users\Admin\AppData\Roaming\MergeSync.xls.420
Filesize
275KB

MD5
364bd0ef8f8b9a5ed24017e96f5bd799

SHA1
735f961ced8bcbfc75a2190d2eac8d21d7575e70

SHA256
fd46946ad00a54ab7708fda028cde6c1c517669de3865ded0a30cae45374451c

SHA512
019699e19aee9e248db13b8b956fdc488d03a173927129b2cefb5eaad72be6cc8f2337b2071d1a3c6e2da075b332586e1032a121d9bdfbf913e246309bffbd40

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg.420
Filesize
51KB

MD5
f14ebdbbc002c8ca15a7b7e139b01b25

SHA1
361c8e0f9e1480937b44cb208b65da4cd85d3d52

SHA256
c4ac4b34f8ac38a53e2eb6f1b35fefc01cd61c9c325e6ddf5f2d54de518515b8

SHA512
a9b2de5fd410db8e58b10fd8b0d854c8c9b191cc4157d38adb07600ee89110665169849d84692a749798db7063de233d837d31f1b0a85b248bad7f32ee4fb269

Download Submit
C:\Users\Admin\AppData\Roaming\SaveFind.png.420
Filesize
166KB

MD5
c8f247571cb6617e8ae2eb4178351cab

SHA1
b253ff1625166e3c86bbed4daab8b55ca38702cc

SHA256
b07a57abdfc5005b88890439351ca96a137573b14f62149544e5dcf5e519cba8

SHA512
49423fb951fc04c459684d81cfb20039f586cd8d82c85d195a1468fc0aff3a4d28e9fac79b20bdb3a3452a2a899c0540a55f30015848e78a3b49a0376c4fc479

Download Submit
C:\Users\Admin\AppData\Roaming\SubmitStart.lnk.420
Filesize
336KB

MD5
842c5267ac9ec001c63d41cacee76715

SHA1
cf1f1abed92b54aaf85841b5b4efb3fe9e447279

SHA256
5d5e4240b59e335b5fb13bfe368a4799b12795e611bab453e080cd1e094b2db9

SHA512
856073e937405dc1709b8db91a5f5f7a9b03428ceee31682bec98a436d1b7c4ecd397e513bc9d00d2893d10817ff6512147cbeea8a0da7d6d5b4409835c94c6e

Download Submit
C:\Users\Admin\AppData\Roaming\SyncRevoke.xml.420
Filesize
209KB

MD5
1a566484f9bfafbaa5375d97f4c27f1e

SHA1
b48648afda923ec5c7c28fa9af5b0da98d867099

SHA256
0d6ec9b9de1772f6d042d853c5c6428c842093c80366c875d0c5c265d130ff41

SHA512
eb38d1dccbb88ca2aaf6c05d56c30a8856dc04b2d00fc29270bbef33b49abe2859eb7ce343282cf1633164dbc1bc0929d622b56f839ae342090c33259f1cc192

Download Submit
C:\Users\Admin\AppData\Roaming\UnlockLock.xlsx.420
Filesize
130KB

MD5
64132058f738048c5637760ff5cfec2a

SHA1
a62cacf5cab25af072dbf00daf1efebd9d145dbb

SHA256
dde9b8a52bc58845555290764fe249032b4bc849dab482258465aeb703c1dfcb

SHA512
7512bed441af3122de2c5341e6c8bea6ee307e1a11e72b693c3f511eee84bf91fa40ea5be9d7da495ee0b7cd9a48bc5fa9c0d72ba61bdfc21a54a0bc7efb1915

Download Submit
C:\Users\Admin\Links\Desktop.lnk.420
Filesize
512B

MD5
98b5a18c28eb9582c2a3c9431cee76d9

SHA1
649648758a1fa999dc6226af8444857ad13ada40

SHA256
6eee7ecce7b32b37b8c9b81c82730dd98571d6fb297dc72bbb72f1b69aa0166a

SHA512
01873b912b0c80a993125f57336a2ba5398b68ddc33bff2076f74133d7bd96e56959d929acebb75240f694b1aeb0aedb60b1a79c24033bdc1af73d930ae30f9a

Download Submit
C:\Users\Admin\Links\Downloads.lnk.420
Filesize
944B

MD5
e4e01dc37a05a80ebdf4bc20d365ce23

SHA1
024a2d69ce66255377d3e7aa92da0033f70c0794

SHA256
4ff5c6975f00f95e65037bebdb136eaa5fcef379adfa4d4416d04ab100115a82

SHA512
ea6f64722471709b6905473ef84b986c3698fc42cd240c5a4c838429ca136fffd4aeda0cefb2b20c6053d6c47552526f98be6b29a5cc0f552f4a60327a7c71ae

Download Submit
C:\Windows\System32\Seven.dll
Filesize
1.0MB

MD5
97d5608addaf6a26b12fe250fc98ec9b

SHA1
262442116a610405a90d7d536022eab9252212ca

SHA256
b269adab04ac864e8d0e542dceb9bc6c46d204a749721259658a9226eb813bad

SHA512
112d80b1cfab506dea45a996ba787ec305bf03a9e02f32b53d75e24ff738b1e4ec11d5328d2563c3b2cb0d9c91bcb95424e0c7311801d5bf5acb1a11df92630a

Download Submit
C:\Windows\System32\Seven.runtimeconfig.json
Filesize
340B

MD5
253333997e82f7d44ea8072dfae6db39

SHA1
03b9744e89327431a619505a7c72fd497783d884

SHA256
28329cf08f6505e73806b17558b187c02f0c1c516fe47ebfb7a013d082aaa306

SHA512
56d99039e0fb6305588e9f87361e7e0d5051507bf321ba36619c4d29741f35c27c62f025a52523c9e1c7287aabf1533444330a8cdf840fa5af0fa2241fcb4fc2

Download Submit
C:\Windows\System32\SevenCopy.exe
Filesize
139KB

MD5
6503f847c3281ff85b304fc674b62580

SHA1
947536e0741c085f37557b7328b067ef97cb1a61

SHA256
afd7657f941024ef69ca34d1e61e640c5523b19b0fad4dcb1c9f1b01a6fa166f

SHA512
abc3b32a1cd7d0a60dd7354a9fcdff0bc37ec8a20bb2a8258353716d820f62d343c6ba9385ba893be0cca981bbb9ab4e189ccfeee6dd77cc0dc723e975532174

Download Submit
memory/4048-0-0x000001E8A4C10000-0x000001E8A4C32000-memory.dmp

Filesize
136KB

Download
memory/4048-15-0x00007FFF257A0000-0x00007FFF26261000-memory.dmp

Filesize
10.8MB

Download
memory/4048-11-0x000001E88C530000-0x000001E88C540000-memory.dmp

Filesize
64KB

Download
memory/4048-12-0x000001E88C530000-0x000001E88C540000-memory.dmp

Filesize
64KB

Download
memory/4048-10-0x00007FFF257A0000-0x00007FFF26261000-memory.dmp

Filesize
10.8MB

Download
memory/18156-427-0x00007FF634160000-0x00007FF6341C7000-memory.dmp

Filesize
412KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads