c135011ba87a0ab38df639962f3e4bb386bd8adaa156d694c688c8570e4b7f1c

Analysis

max time kernel
210s
max time network
53s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
29/04/2024, 02:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Seven.exe
Size

139KB
MD5

6503f847c3281ff85b304fc674b62580
SHA1

947536e0741c085f37557b7328b067ef97cb1a61
SHA256

afd7657f941024ef69ca34d1e61e640c5523b19b0fad4dcb1c9f1b01a6fa166f
SHA512

abc3b32a1cd7d0a60dd7354a9fcdff0bc37ec8a20bb2a8258353716d820f62d343c6ba9385ba893be0cca981bbb9ab4e189ccfeee6dd77cc0dc723e975532174
SSDEEP

3072:miS4omp03WQthI/9S3BZi08iRQ1G78IVn27bSfcJd8lto:miS4ompB9S3BZi0a1G78IVhcTct

Score

10^/10

evasion spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Seven.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Seven.exe

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "1"	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua = "1"	Seven.exe

Blocks application from running via registry modification 1 IoCs

Adds application to list of disallowed applications.

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	Seven.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Seven.exe

Disables Task Manager via registry modification
evasion

Disables cmd.exe use via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Seven.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	SevenCopy.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\Control Panel\International\Geo\Nation	Process not Found

Executes dropped EXE 64 IoCs

pid	Process
3324	SevenCopy.exe
16132	SevenCopy.exe
14168	SevenCopy.exe
14244	SevenCopy.exe
6060	SevenCopy.exe
15220	SevenCopy.exe
6164	SevenCopy.exe
18772	SevenCopy.exe
6484	SevenCopy.exe
6980	SevenCopy.exe
7384	SevenCopy.exe
19148	SevenCopy.exe
15192	SevenCopy.exe
7284	SevenCopy.exe
15912	SevenCopy.exe
14932	SevenCopy.exe
19080	SevenCopy.exe
15204	SevenCopy.exe
14540	SevenCopy.exe
14980	SevenCopy.exe
9428	SevenCopy.exe
8668	SevenCopy.exe
15968	SevenCopy.exe
9020	SevenCopy.exe
16292	SevenCopy.exe
8828	SevenCopy.exe
15732	SevenCopy.exe
15884	SevenCopy.exe
15780	SevenCopy.exe
18184	SevenCopy.exe
8348	SevenCopy.exe
9336	SevenCopy.exe
11912	SevenCopy.exe
15300	SevenCopy.exe
17132	SevenCopy.exe
8856	SevenCopy.exe
15416	SevenCopy.exe
5396	SevenCopy.exe
19176	SevenCopy.exe
8680	SevenCopy.exe
2592	SevenCopy.exe
16372	SevenCopy.exe
12052	SevenCopy.exe
5660	SevenCopy.exe
18520	SevenCopy.exe
9796	SevenCopy.exe
15400	SevenCopy.exe
8708	SevenCopy.exe
17808	SevenCopy.exe
8768	SevenCopy.exe
9460	SevenCopy.exe
5552	SevenCopy.exe
11508	SevenCopy.exe
16920	SevenCopy.exe
8540	SevenCopy.exe
18008	SevenCopy.exe
8964	SevenCopy.exe
10720	SevenCopy.exe
10036	SevenCopy.exe
9300	SevenCopy.exe
9976	SevenCopy.exe
10956	SevenCopy.exe
11664	SevenCopy.exe
2724	SevenCopy.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	Seven.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua = "1"	Seven.exe

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	SevenCopy.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	SevenCopy.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	SevenCopy.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	SevenCopy.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	SevenCopy.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	SevenCopy.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	SevenCopy.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\system32\KeyAndIV.txt	SevenCopy.exe
File created	C:\Windows\system32\EncryptedLog.txt	SevenCopy.exe
File created	C:\Windows\system32\EncryptedLog.txt	SevenCopy.exe
File created	C:\Windows\system32\KeyAndIV.txt	Process not Found
File created	C:\Windows\system32\EncryptedLog.txt	Process not Found
File created	C:\Windows\system32\EncryptedLog.txt	Process not Found
File created	C:\Windows\system32\KeyAndIV.txt	SevenCopy.exe
File created	C:\Windows\system32\EncryptedLog.txt	Process not Found
File created	C:\Windows\system32\KeyAndIV.txt	SevenCopy.exe
File created	C:\Windows\system32\EncryptedLog.txt	SevenCopy.exe
File created	C:\Windows\system32\EncryptedLog.txt	SevenCopy.exe
File created	C:\Windows\system32\EncryptedLog.txt	SevenCopy.exe
File created	C:\Windows\system32\KeyAndIV.txt	Process not Found
File created	C:\Windows\system32\KeyAndIV.txt	SevenCopy.exe
File created	C:\Windows\system32\KeyAndIV.txt	Process not Found
File created	C:\Windows\system32\EncryptedLog.txt	SevenCopy.exe
File created	C:\Windows\system32\KeyAndIV.txt	SevenCopy.exe
File created	C:\Windows\system32\KeyAndIV.txt	Process not Found
File created	C:\Windows\system32\EncryptedLog.txt	Process not Found
File created	C:\Windows\system32\KeyAndIV.txt	Process not Found
File created	C:\Windows\system32\EncryptedLog.txt	Process not Found
File created	C:\Windows\system32\EncryptedLog.txt	SevenCopy.exe
File created	C:\Windows\system32\KeyAndIV.txt	Process not Found
File created	C:\Windows\system32\EncryptedLog.txt	Process not Found
File created	C:\Windows\system32\EncryptedLog.txt	SevenCopy.exe
File created	C:\Windows\system32\EncryptedLog.txt	Process not Found
File created	C:\Windows\system32\KeyAndIV.txt	Process not Found
File created	C:\Windows\system32\EncryptedLog.txt	SevenCopy.exe
File created	C:\Windows\system32\EncryptedLog.txt	SevenCopy.exe
File created	C:\Windows\system32\KeyAndIV.txt	SevenCopy.exe
File created	C:\Windows\system32\EncryptedLog.txt	Process not Found
File created	C:\Windows\system32\EncryptedLog.txt	SevenCopy.exe
File created	C:\Windows\system32\KeyAndIV.txt	Process not Found
File created	C:\Windows\system32\KeyAndIV.txt	Process not Found
File created	C:\Windows\system32\EncryptedLog.txt	SevenCopy.exe
File created	C:\Windows\system32\EncryptedLog.txt	Process not Found
File created	C:\Windows\system32\EncryptedLog.txt	Process not Found
File created	C:\Windows\system32\EncryptedLog.txt	Process not Found
File created	C:\Windows\system32\KeyAndIV.txt	Process not Found
File created	C:\Windows\system32\KeyAndIV.txt	SevenCopy.exe
File created	C:\Windows\system32\EncryptedLog.txt	SevenCopy.exe
File created	C:\Windows\system32\EncryptedLog.txt	Process not Found
File created	C:\Windows\system32\KeyAndIV.txt	SevenCopy.exe
File created	C:\Windows\system32\EncryptedLog.txt	Process not Found
File created	C:\Windows\system32\KeyAndIV.txt	SevenCopy.exe
File created	C:\Windows\system32\KeyAndIV.txt	Process not Found
File created	C:\Windows\system32\EncryptedLog.txt	Process not Found
File created	C:\Windows\system32\EncryptedLog.txt	Process not Found
File created	C:\Windows\system32\KeyAndIV.txt	Process not Found
File created	C:\Windows\system32\EncryptedLog.txt	SevenCopy.exe
File created	C:\Windows\system32\KeyAndIV.txt	Process not Found
File created	C:\Windows\system32\EncryptedLog.txt	Process not Found
File created	C:\Windows\system32\KeyAndIV.txt	Process not Found
File created	C:\Windows\system32\EncryptedLog.txt	SevenCopy.exe
File created	C:\Windows\system32\KeyAndIV.txt	Process not Found
File created	C:\Windows\system32\EncryptedLog.txt	Process not Found
File created	C:\Windows\system32\KeyAndIV.txt	SevenCopy.exe
File created	C:\Windows\system32\EncryptedLog.txt	SevenCopy.exe
File created	C:\Windows\system32\KeyAndIV.txt	SevenCopy.exe
File created	C:\Windows\system32\EncryptedLog.txt	Process not Found
File created	C:\Windows\system32\KeyAndIV.txt	Process not Found
File created	C:\Windows\system32\KeyAndIV.txt	Process not Found
File created	C:\Windows\system32\KeyAndIV.txt	SevenCopy.exe
File created	C:\Windows\system32\KeyAndIV.txt	Process not Found

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
760	powershell.exe
760	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	760	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
18548	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5104 wrote to memory of 760	5104	Seven.exe	87
PID 5104 wrote to memory of 760	5104	Seven.exe	87
PID 5104 wrote to memory of 688	5104	Seven.exe	89
PID 5104 wrote to memory of 688	5104	Seven.exe	89
PID 5104 wrote to memory of 4572	5104	Seven.exe	90
PID 5104 wrote to memory of 4572	5104	Seven.exe	90
PID 5104 wrote to memory of 2716	5104	Seven.exe	91
PID 5104 wrote to memory of 2716	5104	Seven.exe	91
PID 5104 wrote to memory of 208	5104	Seven.exe	92
PID 5104 wrote to memory of 208	5104	Seven.exe	92
PID 5104 wrote to memory of 3452	5104	Seven.exe	93
PID 5104 wrote to memory of 3452	5104	Seven.exe	93
PID 5104 wrote to memory of 3448	5104	Seven.exe	94
PID 5104 wrote to memory of 3448	5104	Seven.exe	94
PID 5104 wrote to memory of 228	5104	Seven.exe	95
PID 5104 wrote to memory of 228	5104	Seven.exe	95
PID 2716 wrote to memory of 964	2716	cmd.exe	96
PID 2716 wrote to memory of 964	2716	cmd.exe	96
PID 228 wrote to memory of 3228	228	cmd.exe	97
PID 228 wrote to memory of 3228	228	cmd.exe	97
PID 3448 wrote to memory of 1796	3448	cmd.exe	98
PID 3448 wrote to memory of 1796	3448	cmd.exe	98
PID 5104 wrote to memory of 3324	5104	Seven.exe	100
PID 5104 wrote to memory of 3324	5104	Seven.exe	100
PID 3324 wrote to memory of 1940	3324	SevenCopy.exe	101
PID 3324 wrote to memory of 1940	3324	SevenCopy.exe	101
PID 3324 wrote to memory of 772	3324	SevenCopy.exe	103
PID 3324 wrote to memory of 772	3324	SevenCopy.exe	103
PID 3324 wrote to memory of 3552	3324	SevenCopy.exe	104
PID 3324 wrote to memory of 3552	3324	SevenCopy.exe	104
PID 3324 wrote to memory of 4076	3324	SevenCopy.exe	105
PID 3324 wrote to memory of 4076	3324	SevenCopy.exe	105
PID 3324 wrote to memory of 4140	3324	SevenCopy.exe	106
PID 3324 wrote to memory of 4140	3324	SevenCopy.exe	106
PID 3324 wrote to memory of 2468	3324	SevenCopy.exe	110
PID 3324 wrote to memory of 2468	3324	SevenCopy.exe	110
PID 3324 wrote to memory of 3284	3324	SevenCopy.exe	112
PID 3324 wrote to memory of 3284	3324	SevenCopy.exe	112
PID 3324 wrote to memory of 3468	3324	SevenCopy.exe	113
PID 3324 wrote to memory of 3468	3324	SevenCopy.exe	113
PID 3324 wrote to memory of 4848	3324	SevenCopy.exe	114
PID 3324 wrote to memory of 4848	3324	SevenCopy.exe	114
PID 3324 wrote to memory of 212	3324	SevenCopy.exe	116
PID 3324 wrote to memory of 212	3324	SevenCopy.exe	116
PID 3324 wrote to memory of 2692	3324	SevenCopy.exe	120
PID 3324 wrote to memory of 2692	3324	SevenCopy.exe	120
PID 3324 wrote to memory of 1952	3324	SevenCopy.exe	121
PID 3324 wrote to memory of 1952	3324	SevenCopy.exe	121
PID 3324 wrote to memory of 5080	3324	SevenCopy.exe	123
PID 3324 wrote to memory of 5080	3324	SevenCopy.exe	123
PID 3324 wrote to memory of 4052	3324	SevenCopy.exe	124
PID 3324 wrote to memory of 4052	3324	SevenCopy.exe	124
PID 3324 wrote to memory of 1428	3324	SevenCopy.exe	126
PID 3324 wrote to memory of 1428	3324	SevenCopy.exe	126
PID 3324 wrote to memory of 820	3324	SevenCopy.exe	129
PID 3324 wrote to memory of 820	3324	SevenCopy.exe	129
PID 1940 wrote to memory of 8	1940	cmd.exe	475
PID 1940 wrote to memory of 8	1940	cmd.exe	475
PID 4140 wrote to memory of 2480	4140	cmd.exe	134
PID 4140 wrote to memory of 2480	4140	cmd.exe	134
PID 2468 wrote to memory of 4488	2468	cmd.exe	135
PID 2468 wrote to memory of 4488	2468	cmd.exe	135
PID 4052 wrote to memory of 1216	4052	cmd.exe	136
PID 4052 wrote to memory of 1216	4052	cmd.exe	136

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "1"	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua = "1"	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	Seven.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
964	attrib.exe
1796	attrib.exe
3228	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Seven.exe
"C:\Users\Admin\AppData\Local\Temp\Seven.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:760
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.exe C:\Users\Admin\AppData\Local\Temp\SevenCopy.exe
  2⤵
  PID:688
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.exe C:\Windows\System32\SevenCopy.exe
  2⤵
  PID:4572
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C attrib +h C:\Windows\System32\SevenCopy.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\system32\attrib.exe
    attrib +h C:\Windows\System32\SevenCopy.exe
    3⤵
    - Views/modifies file attributes
    PID:964
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.dll C:\Windows\System32\Seven.dll
  2⤵
  PID:208
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.runtimeconfig.json C:\Windows\System32\Seven.runtimeconfig.json
  2⤵
  PID:3452
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C attrib +h C:\Windows\System32\Seven.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3448
- - C:\Windows\system32\attrib.exe
    attrib +h C:\Windows\System32\Seven.dll
    3⤵
    - Views/modifies file attributes
    PID:1796
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C attrib +h C:\Windows\System32\Seven.runtimeconfig.json
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:228
- - C:\Windows\system32\attrib.exe
    attrib +h C:\Windows\System32\Seven.runtimeconfig.json
    3⤵
    - Views/modifies file attributes
    PID:3228
- C:\Users\Admin\AppData\Local\Temp\SevenCopy.exe
  "C:\Users\Admin\AppData\Local\Temp\SevenCopy.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Suspicious use of WriteProcessMemory
  PID:3324
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2010_x64.log-MSI_vc_red.msi.txt"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1940
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:8
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2010_x64.log.html"
    3⤵
    PID:772
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:4172
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2010_x86.log-MSI_vc_red.msi.txt"
    3⤵
    PID:3552
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:4320
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2010_x86.log.html"
    3⤵
    PID:4076
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:4324
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4140
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:2480
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2468
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:4488
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2012_x86_0_vcRuntimeMinimum_x86.log"
    3⤵
    PID:3284
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:4280
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2012_x86_1_vcRuntimeAdditional_x86.log"
    3⤵
    PID:3468
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:928
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log"
    3⤵
    PID:4848
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:4744
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log"
    3⤵
    PID:212
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:376
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2013_x86_000_vcRuntimeMinimum_x86.log"
    3⤵
    PID:2692
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:4704
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2013_x86_001_vcRuntimeAdditional_x86.log"
    3⤵
    PID:1952
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:2204
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2022_x64_000_vcRuntimeMinimum_x64.log"
    3⤵
    PID:5080
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:2784
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2022_x64_001_vcRuntimeAdditional_x64.log"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4052
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:1216
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2022_x86_000_vcRuntimeMinimum_x86.log"
    3⤵
    PID:1428
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:460
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2022_x86_001_vcRuntimeAdditional_x86.log"
    3⤵
    PID:820
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:2872
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Desktop\BackupReset.doc"
    3⤵
    PID:4296
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:5636
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Desktop\Microsoft Edge.lnk"
    3⤵
    PID:2988
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:4112
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Desktop\ReadRevoke.jpg"
    3⤵
    PID:224
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:5828
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\Are.docx"
    3⤵
    PID:2640
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:5816
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\DebugAdd.pptx"
    3⤵
    PID:4308
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:5960
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\Files.docx"
    3⤵
    PID:4708
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:5432
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\GetRestart.html"
    3⤵
    PID:2604
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:5836
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\GroupComplete.xml"
    3⤵
    PID:2740
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:4012
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\Opened.docx"
    3⤵
    PID:4628
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:5332
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\OpenMount.pdf"
    3⤵
    PID:4300
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:6000
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\PublishRequest.xml"
    3⤵
    PID:4372
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:6588
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\Recently.docx"
    3⤵
    PID:2324
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:6180
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\RestoreEnable.html"
    3⤵
    PID:688
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:5416
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\StepUnlock.html"
    3⤵
    PID:5124
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:7148
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\These.docx"
    3⤵
    PID:5148
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:6196
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Downloads\GetSend.txt"
    3⤵
    PID:5164
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:7156
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Downloads\MountExit.lnk"
    3⤵
    PID:5176
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:6320
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Downloads\MoveUnpublish.png"
    3⤵
    PID:5192
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:7128
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Downloads\OptimizeFind.bmp"
    3⤵
    PID:5232
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:7376
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Downloads\RedoBackup.xml"
    3⤵
    PID:5248
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:6344
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Downloads\StartAssert.xml"
    3⤵
    PID:5292
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:7312
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Downloads\StartRedo.xml"
    3⤵
    PID:5320
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:7120
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Links\Desktop.lnk"
    3⤵
    PID:5336
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:7384
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Links\Downloads.lnk"
    3⤵
    PID:5424
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:6308
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Music\ExpandConnect.pdf"
    3⤵
    PID:5496
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:7980
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Music\MeasureProtect.html"
    3⤵
    PID:5580
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:7764
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Music\ResizeRemove.png"
    3⤵
    PID:5596
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:7992
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Pictures\ConvertUninstall.png"
    3⤵
    PID:5704
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:9116
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Pictures\My Wallpaper.jpg"
    3⤵
    PID:5860
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:9100
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Pictures\ShowSearch.png"
    3⤵
    PID:5924
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:8604
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Pictures\StartRevoke.bmp"
    3⤵
    PID:5940
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:8836
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\AssertUse.docx"
    3⤵
    PID:5952
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:8812
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\MergeBackup.csv"
    3⤵
    PID:6012
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:8448
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BroadcastMsg_1713510733.txt"
    3⤵
    PID:6064
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:9548
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt"
    3⤵
    PID:6112
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:9796
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI23F5.txt"
    3⤵
    PID:5260
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:10232
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI2413.txt"
    3⤵
    PID:5368
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:10064
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI23F5.txt"
    3⤵
    PID:6096
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:10052
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI2413.txt"
    3⤵
    PID:6148
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:10072
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\jawshtml.html"
    3⤵
    PID:6164
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:4280
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\mapping.csv"
    3⤵
    PID:6188
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:9788
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20240419_070740298.html"
    3⤵
    PID:6208
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:10008
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt"
    3⤵
    PID:6232
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:9904
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.VisualElementsManifest.xml"
    3⤵
    PID:6244
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:10264
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt"
    3⤵
    PID:6264
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:3820
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml"
    3⤵
    PID:6364
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:3808
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml"
    3⤵
    PID:6388
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:2784
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\msoia.exe_Rules.xml"
    3⤵
    PID:6404
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:10244
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\office2016setup.exe_Rules.xml"
    3⤵
    PID:6416
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:9996
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml"
    3⤵
    PID:6428
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:4704
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\onenote.exe_Rules.xml"
    3⤵
    PID:6484
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:10832
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml"
    3⤵
    PID:6524
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:11164
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\alertIcon.png"
    3⤵
    PID:6544
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:10996
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppBlue.png"
    3⤵
    PID:6556
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:9968
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorBlue.png"
    3⤵
    PID:6628
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:10852
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorWhite.png"
    3⤵
    PID:6672
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:10708
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppWhite.png"
    3⤵
    PID:6688
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:10344
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.png"
    3⤵
    PID:6728
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:9840
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppBlue.png"
    3⤵
    PID:6748
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:10692
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppWhite.png"
    3⤵
    PID:6760
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:10004
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Error.png"
    3⤵
    PID:6892
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:9876
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ErrorPage.html"
    3⤵
    PID:6908
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:10436
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMHeroToast.png"
    3⤵
    PID:6924
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:11996
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMLockedFileToast.png"
    3⤵
    PID:6948
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:10700
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMScanExclusionToast.png"
    3⤵
    PID:6960
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:5216
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\LoadingPage.html"
    3⤵
    PID:6984
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:4468
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveLogo.png"
    3⤵
    PID:7140
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:11180
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaCritical.png"
    3⤵
    PID:5160
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:11008
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaError.png"
    3⤵
    PID:5188
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:11156
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaNearing.png"
    3⤵
    PID:6176
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:11036
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\TestSharePage.html"
    3⤵
    PID:6424
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:10452
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ThirdPartyNotices.txt"
    3⤵
    PID:6496
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:11172
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Warning.png"
    3⤵
    PID:6340
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:11028
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-100.png"
    3⤵
    PID:6552
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:10824
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-125.png"
    3⤵
    PID:7092
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:11780
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-150.png"
    3⤵
    PID:7172
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:9824
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-200.png"
    3⤵
    PID:7416
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:11980
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-400.png"
    3⤵
    PID:7484
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:11796
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-100.png"
    3⤵
    PID:7608
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:11744
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-125.png"
    3⤵
    PID:7624
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:11708
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-150.png"
    3⤵
    PID:7636
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:12068
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-200.png"
    3⤵
    PID:7648
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:12252
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-400.png"
    3⤵
    PID:7664
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:11696
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-100.png"
    3⤵
    PID:7684
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:11988
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-125.png"
    3⤵
    PID:7700
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:10784
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-150.png"
    3⤵
    PID:7864
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:10276
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-200.png"
    3⤵
    PID:8032
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:1952
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-400.png"
    3⤵
    PID:8044
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:2252
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-100.png"
    3⤵
    PID:8056
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:2468
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-125.png"
    3⤵
    PID:8072
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:12376
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-150.png"
    3⤵
    PID:8092
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:12360
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-200.png"
    3⤵
    PID:6972
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:772
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png"
    3⤵
    PID:8220
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:1336
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-100.png"
    3⤵
    PID:8232
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:11260
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-125.png"
    3⤵
    PID:8252
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:12580
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-150.png"
    3⤵
    PID:8336
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:1756
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-200.png"
    3⤵
    PID:8360
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:3720
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-400.png"
    3⤵
    PID:8416
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:4272
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-100.png"
    3⤵
    PID:8428
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:12768
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-125.png"
    3⤵
    PID:8440
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:11388
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-150.png"
    3⤵
    PID:8452
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:4872
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-200.png"
    3⤵
    PID:8464
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:352
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-400.png"
    3⤵
    PID:8484
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:12440
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\Shell\DefaultLayouts.xml"
    3⤵
    PID:8500
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:12368
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk"
    3⤵
    PID:8516
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:12588
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk"
    3⤵
    PID:8688
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:12596
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk"
    3⤵
    PID:8704
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:13256
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk"
    3⤵
    PID:8720
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:12456
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Are.docx.lnk"
    3⤵
    PID:8740
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:12608
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Files.docx.lnk"
    3⤵
    PID:8756
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:12684
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Opened.docx.lnk"
    3⤵
    PID:8776
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:12448
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Recently.docx.lnk"
    3⤵
    PID:9072
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:12748
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\These.docx.lnk"
    3⤵
    PID:9176
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:12932
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Fax Recipient.lnk"
    3⤵
    PID:7632
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:12964
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk"
    3⤵
    PID:8848
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:13564
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\images\blurrect.png"
    3⤵
    PID:8864
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:14076
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\1 - Desktop.lnk"
    3⤵
    PID:9236
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:13344
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\1 - Run.lnk"
    3⤵
    PID:9276
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:13936
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\2 - Search.lnk"
    3⤵
    PID:9300
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:13356
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\3 - Windows Explorer.lnk"
    3⤵
    PID:9328
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:13804
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\4 - Control Panel.lnk"
    3⤵
    PID:9376
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:14524
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\5 - Task Manager.lnk"
    3⤵
    PID:9392
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:14368
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\01 - Command Prompt.lnk"
    3⤵
    PID:9404
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:11972
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\01a - Windows PowerShell.lnk"
    3⤵
    PID:9508
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:14196
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\02 - Command Prompt.lnk"
    3⤵
    PID:9564
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:14208
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\02a - Windows PowerShell.lnk"
    3⤵
    PID:9576
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:14216
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\03 - Computer Management.lnk"
    3⤵
    PID:9688
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:4836
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\04 - Disk Management.lnk"
    3⤵
    PID:9704
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:14224
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\04-1 - NetworkStatus.lnk"
    3⤵
    PID:9716
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:6308
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\05 - Device Manager.lnk"
    3⤵
    PID:9732
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:4876
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\06 - SystemAbout.lnk"
    3⤵
    PID:9744
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:5100
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\07 - Event Viewer.lnk"
    3⤵
    PID:9832
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:14512
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\08 - PowerAndSleep.lnk"
    3⤵
    PID:9844
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:13708
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\09 - Mobility Center.lnk"
    3⤵
    PID:9864
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:14808
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\10 - AppsAndFeatures.lnk"
    3⤵
    PID:9884
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:14660
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579836418013652.txt"
    3⤵
    PID:10116
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:14244
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579837096414018.txt"
    3⤵
    PID:10136
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:14696
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579837443444937.txt"
    3⤵
    PID:10148
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:14920
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579837640277591.txt"
    3⤵
    PID:10160
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:14652
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579837687940046.txt"
    3⤵
    PID:10172
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:14704
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579837744362386.txt"
    3⤵
    PID:10188
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:14392
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579837939951274.txt"
    3⤵
    PID:10204
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:14540
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579837978777915.txt"
    3⤵
    PID:5040
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:14684
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579839074637091.txt"
    3⤵
    PID:9324
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:14532
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579839712016426.txt"
    3⤵
    PID:2268
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2204
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:14912
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579843207563210.txt"
    3⤵
    PID:2376
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:14676
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579843507466942.txt"
    3⤵
    PID:9504
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:14816
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579843808534166.txt"
    3⤵
    PID:8
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:15080
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579844217534408.txt"
    3⤵
    PID:5112
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:14928
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579844630253682.txt"
    3⤵
    PID:10144
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:14904
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579844816569293.txt"
    3⤵
    PID:10316
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:15012
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579846092837203.txt"
    3⤵
    PID:10332
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:15240
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579846392471437.txt"
    3⤵
    PID:10364
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:15284
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579846692840690.txt"
    3⤵
    PID:10376
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:15152
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579846992823764.txt"
    3⤵
    PID:10392
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:15252
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579847755903877.txt"
    3⤵
    PID:10408
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:15232
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579858555939335.txt"
    3⤵
    PID:10444
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:4584
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\SettingsCache.txt"
    3⤵
    PID:10484
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:15144
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk"
    3⤵
    PID:10576
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:15356
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
    3⤵
    PID:10592
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:15300
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ihcffylf.default-release\pkcs11.txt"
    3⤵
    PID:10644
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:15292
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VDZ45OC0\known_providers_download_v1[1].xml"
    3⤵
    PID:10676
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:15260
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VDZ45OC0\update100[1].xml"
    3⤵
    PID:10772
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:15048
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\squaretile.png"
    3⤵
    PID:10796
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:15200
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\tinytile.png"
    3⤵
    PID:10812
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:15268
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\squaretile.png"
    3⤵
    PID:10844
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:7080
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\tinytile.png"
    3⤵
    PID:10872
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:15088
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\squaretile.png"
    3⤵
    PID:10888
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:15276
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\tinytile.png"
    3⤵
    PID:10900
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:15136
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\7603651830\squaretile.png"
    3⤵
    PID:10928
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:14408
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\7603651830\tinytile.png"
    3⤵
    PID:11112
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:15124
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{9be7308c-a8d0-45d4-8b98-7eb221672917}\0.0.filtertrie.intermediate.txt"
    3⤵
    PID:11132
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:5132
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{9be7308c-a8d0-45d4-8b98-7eb221672917}\0.1.filtertrie.intermediate.txt"
    3⤵
    PID:11200
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:15708
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{9be7308c-a8d0-45d4-8b98-7eb221672917}\0.2.filtertrie.intermediate.txt"
    3⤵
    PID:11212
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:15728
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{a0c1c275-c729-4c36-ba65-1470eae44acc}\0.0.filtertrie.intermediate.txt"
    3⤵
    PID:11232
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:15556
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{a0c1c275-c729-4c36-ba65-1470eae44acc}\0.1.filtertrie.intermediate.txt"
    3⤵
    PID:11248
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:15496
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{a0c1c275-c729-4c36-ba65-1470eae44acc}\0.2.filtertrie.intermediate.txt"
    3⤵
    PID:4716
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:15512
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{a7c18a06-53c4-43bc-b3e3-53d107e5e8f1}\0.0.filtertrie.intermediate.txt"
    3⤵
    PID:4868
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:5812
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{a7c18a06-53c4-43bc-b3e3-53d107e5e8f1}\0.1.filtertrie.intermediate.txt"
    3⤵
    PID:9616
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:7308
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{a7c18a06-53c4-43bc-b3e3-53d107e5e8f1}\0.2.filtertrie.intermediate.txt"
    3⤵
    PID:10404
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:6464
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{9efe58e1-dae2-4eb2-87e3-f5b486730137}\appsconversions.txt"
    3⤵
    PID:11280
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:8828
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{9efe58e1-dae2-4eb2-87e3-f5b486730137}\appsglobals.txt"
    3⤵
    PID:11296
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:13076
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{9efe58e1-dae2-4eb2-87e3-f5b486730137}\appssynonyms.txt"
    3⤵
    PID:11320
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:7160
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{9efe58e1-dae2-4eb2-87e3-f5b486730137}\settingsconversions.txt"
    3⤵
    PID:11336
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:15364
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{9efe58e1-dae2-4eb2-87e3-f5b486730137}\settingsglobals.txt"
    3⤵
    PID:11356
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:15372
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{9efe58e1-dae2-4eb2-87e3-f5b486730137}\settingssynonyms.txt"
    3⤵
    PID:11376
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:15564
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{f2498ad6-a1ee-4cab-90a9-b26879fa10d1}\0.0.filtertrie.intermediate.txt"
    3⤵
    PID:11392
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:14752
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{f2498ad6-a1ee-4cab-90a9-b26879fa10d1}\0.1.filtertrie.intermediate.txt"
    3⤵
    PID:11412
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:15796
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{f2498ad6-a1ee-4cab-90a9-b26879fa10d1}\0.2.filtertrie.intermediate.txt"
    3⤵
    PID:11428
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:6852
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{f5f563ab-8370-4daa-939e-05085f5b46bb}\0.0.filtertrie.intermediate.txt"
    3⤵
    PID:11444
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:15380
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{f5f563ab-8370-4daa-939e-05085f5b46bb}\0.1.filtertrie.intermediate.txt"
    3⤵
    PID:11460
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:7120
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{f5f563ab-8370-4daa-939e-05085f5b46bb}\0.2.filtertrie.intermediate.txt"
    3⤵
    PID:11480
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:15532
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\File Explorer.lnk"
    3⤵
    PID:11492
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:15504
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Firefox.lnk"
    3⤵
    PID:11504
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:4612
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk"
    3⤵
    PID:11684
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:1796
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk"
    3⤵
    PID:11824
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:15488
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Magnify.lnk"
    3⤵
    PID:11840
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:15540
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Narrator.lnk"
    3⤵
    PID:11852
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:15548
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\On-Screen Keyboard.lnk"
    3⤵
    PID:12112
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:6536
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk"
    3⤵
    PID:10360
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:8920
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Administrative Tools.lnk"
    3⤵
    PID:3912
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:15660
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Command Prompt.lnk"
    3⤵
    PID:11964
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:15892
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\computer.lnk"
    3⤵
    PID:1244
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:16116
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Control Panel.lnk"
    3⤵
    PID:12328
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:15960
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk"
    3⤵
    PID:12340
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:16244
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Run.lnk"
    3⤵
    PID:12352
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:16124
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell (x86).lnk"
    3⤵
    PID:12528
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:688
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk"
    3⤵
    PID:12656
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:16192
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.76.1_0\128.png"
    3⤵
    PID:12672
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:16052
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.76.1_0\offscreendocument.html"
    3⤵
    PID:12688
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:16060
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\6YMWEKY3\microsoft.windows[1].xml"
    3⤵
    PID:12704
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:16020
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\NS3KXMQF\www.bing[1].xml"
    3⤵
    PID:12724
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:5428
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\craw_window.html"
    3⤵
    PID:12752
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:16364
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\icon_128.png"
    3⤵
    PID:12792
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:16108
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\icon_16.png"
    3⤵
    PID:12812
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:16200
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\topbar_floating_button.png"
    3⤵
    PID:12824
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:15684
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\topbar_floating_button_close.png"
    3⤵
    PID:12848
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:16172
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\topbar_floating_button_hover.png"
    3⤵
    PID:12864
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:16012
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\topbar_floating_button_maximize.png"
    3⤵
    PID:12876
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:5684
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\topbar_floating_button_pressed.png"
    3⤵
    PID:12888
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:5748
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\128.png"
    3⤵
    PID:12908
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:16312
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\192.png"
    3⤵
    PID:13052
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:15444
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\256.png"
    3⤵
    PID:13064
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:16236
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\32.png"
    3⤵
    PID:13080
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:5808
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\48.png"
    3⤵
    PID:13108
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:15456
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\64.png"
    3⤵
    PID:13124
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:15412
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\96.png"
    3⤵
    PID:13144
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:16100
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\128.png"
    3⤵
    PID:13160
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:1028
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\192.png"
    3⤵
    PID:13188
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5332
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:16332
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\256.png"
    3⤵
    PID:13208
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:5620
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\32.png"
    3⤵
    PID:13220
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:16296
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\48.png"
    3⤵
    PID:3144
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:2324
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\64.png"
    3⤵
    PID:5828
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:16372
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\96.png"
    3⤵
    PID:12348
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:15428
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\128.png"
    3⤵
    PID:6184
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:16272
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\192.png"
    3⤵
    PID:12872
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:5400
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\256.png"
    3⤵
    PID:13380
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:16224
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\32.png"
    3⤵
    PID:13408
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:16304
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\48.png"
    3⤵
    PID:13424
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:16180
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\64.png"
    3⤵
    PID:13436
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:5604
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\96.png"
    3⤵
    PID:13460
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:4628
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\128.png"
    3⤵
    PID:13476
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:5664
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\192.png"
    3⤵
    PID:13712
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:7384
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\256.png"
    3⤵
    PID:13820
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:16092
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\32.png"
    3⤵
    PID:13948
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:16044
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\48.png"
    3⤵
    PID:13968
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:15400
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\64.png"
    3⤵
    PID:13984
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:15840
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\96.png"
    3⤵
    PID:13996
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:9800
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\128.png"
    3⤵
    PID:14024
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:16344
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\192.png"
    3⤵
    PID:14252
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:5668
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\256.png"
    3⤵
    PID:14264
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:5240
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\32.png"
    3⤵
    PID:14284
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:15652
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\48.png"
    3⤵
    PID:14300
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:5408
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\64.png"
    3⤵
    PID:14324
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6196
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:5464
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\96.png"
    3⤵
    PID:13016
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:16216
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\128.png"
    3⤵
    PID:13200
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:5728
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\192.png"
    3⤵
    PID:13204
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:7768
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\256.png"
    3⤵
    PID:13404
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:5476
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\32.png"
    3⤵
    PID:2500
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:2288
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\48.png"
    3⤵
    PID:2308
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:15824
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\64.png"
    3⤵
    PID:14112
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:5736
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\96.png"
    3⤵
    PID:14436
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:5124
- - C:\Users\Admin\AppData\Local\Temp\SevenCopy.exe
    "C:\Users\Admin\AppData\Local\Temp\SevenCopy.exe"
    3⤵
    - Executes dropped EXE
    PID:16132
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5292
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BroadcastMsg_1713510733.txt"
      4⤵
      PID:5608
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI23F5.txt"
      4⤵
      PID:5864
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:5608
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI2413.txt"
      4⤵
      PID:876
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI23F5.txt"
      4⤵
      PID:6036
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\jawshtml.html"
      4⤵
      PID:3268
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:18448
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20240419_070740298.html"
      4⤵
      PID:5908
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt"
      4⤵
      PID:5596
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.VisualElementsManifest.xml"
      4⤵
      PID:5496
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt"
      4⤵
      PID:5772
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:12240
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml"
      4⤵
      PID:5844
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml"
      4⤵
      PID:5716
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\msoia.exe_Rules.xml"
      4⤵
      PID:7040
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:16592
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\office2016setup.exe_Rules.xml"
      4⤵
      PID:5988
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:18468
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml"
      4⤵
      PID:5940
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:17356
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\onenote.exe_Rules.xml"
      4⤵
      PID:6152
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml"
      4⤵
      PID:6112
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\alertIcon.png"
      4⤵
      PID:6132
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppBlue.png"
      4⤵
      PID:5952
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:6260
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorBlue.png"
      4⤵
      PID:6356
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorWhite.png"
      4⤵
      PID:6128
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppWhite.png"
      4⤵
      PID:5376
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.png"
      4⤵
      PID:5704
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:17116
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppBlue.png"
      4⤵
      PID:6120
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:6172
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppWhite.png"
      4⤵
      PID:5924
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Error.png"
      4⤵
      PID:5984
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ErrorPage.html"
      4⤵
      PID:6108
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:17244
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMHeroToast.png"
      4⤵
      PID:5520
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMLockedFileToast.png"
      4⤵
      PID:4072
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:4172
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMScanExclusionToast.png"
      4⤵
      PID:3620
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:17396
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\LoadingPage.html"
      4⤵
      PID:3400
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveLogo.png"
      4⤵
      PID:5452
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:9856
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaCritical.png"
      4⤵
      PID:5104
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaError.png"
      4⤵
      PID:9788
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:18904
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaNearing.png"
      4⤵
      PID:2104
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:19108
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\TestSharePage.html"
      4⤵
      PID:6460
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ThirdPartyNotices.txt"
      4⤵
      PID:6376
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Warning.png"
      4⤵
      PID:5480
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:11224
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-100.png"
      4⤵
      PID:5552
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-125.png"
      4⤵
      PID:9404
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-150.png"
      4⤵
      PID:5288
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-200.png"
      4⤵
      PID:6072
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-400.png"
      4⤵
      PID:16396
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:11028
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-100.png"
      4⤵
      PID:16420
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-125.png"
      4⤵
      PID:16444
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-150.png"
      4⤵
      PID:16460
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-200.png"
      4⤵
      PID:16488
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-400.png"
      4⤵
      PID:16504
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-100.png"
      4⤵
      PID:16524
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-125.png"
      4⤵
      PID:16540
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:16588
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-150.png"
      4⤵
      PID:16556
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-200.png"
      4⤵
      PID:16572
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-400.png"
      4⤵
      PID:16588
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-100.png"
      4⤵
      PID:16608
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-125.png"
      4⤵
      PID:16628
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-150.png"
      4⤵
      PID:16644
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-200.png"
      4⤵
      PID:16660
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png"
      4⤵
      PID:16676
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-100.png"
      4⤵
      PID:16700
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:1844
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-125.png"
      4⤵
      PID:16712
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-150.png"
      4⤵
      PID:16724
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-200.png"
      4⤵
      PID:16736
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:16856
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-400.png"
      4⤵
      PID:16748
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:3324
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-100.png"
      4⤵
      PID:16760
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:10788
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-125.png"
      4⤵
      PID:16772
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-150.png"
      4⤵
      PID:16784
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:17244
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-200.png"
      4⤵
      PID:16796
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-400.png"
      4⤵
      PID:16808
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:18544
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\Shell\DefaultLayouts.xml"
      4⤵
      PID:16820
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk"
      4⤵
      PID:16832
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk"
      4⤵
      PID:16844
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk"
      4⤵
      PID:16868
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk"
      4⤵
      PID:16880
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Are.docx.lnk"
      4⤵
      PID:16900
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Files.docx.lnk"
      4⤵
      PID:16912
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Opened.docx.lnk"
      4⤵
      PID:16924
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Recently.docx.lnk"
      4⤵
      PID:16936
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\These.docx.lnk"
      4⤵
      PID:16948
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Fax Recipient.lnk"
      4⤵
      PID:16960
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk"
      4⤵
      PID:16972
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\images\blurrect.png"
      4⤵
      PID:16992
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\1 - Desktop.lnk"
      4⤵
      PID:17012
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\1 - Run.lnk"
      4⤵
      PID:17032
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\2 - Search.lnk"
      4⤵
      PID:17060
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\3 - Windows Explorer.lnk"
      4⤵
      PID:17080
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\4 - Control Panel.lnk"
      4⤵
      PID:17096
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\5 - Task Manager.lnk"
      4⤵
      PID:17120
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\01a - Windows PowerShell.lnk"
      4⤵
      PID:17132
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\02 - Command Prompt.lnk"
      4⤵
      PID:17152
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:17456
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\02a - Windows PowerShell.lnk"
      4⤵
      PID:17168
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\03 - Computer Management.lnk"
      4⤵
      PID:17184
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\04 - Disk Management.lnk"
      4⤵
      PID:17204
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\04-1 - NetworkStatus.lnk"
      4⤵
      PID:17216
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\05 - Device Manager.lnk"
      4⤵
      PID:17232
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\06 - SystemAbout.lnk"
      4⤵
      PID:17256
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\07 - Event Viewer.lnk"
      4⤵
      PID:17268
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:17464
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\08 - PowerAndSleep.lnk"
      4⤵
      PID:17288
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\09 - Mobility Center.lnk"
      4⤵
      PID:17308
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\10 - AppsAndFeatures.lnk"
      4⤵
      PID:17320
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579836418013652.txt"
      4⤵
      PID:17340
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:16660
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579837096414018.txt"
      4⤵
      PID:17360
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:11680
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579837443444937.txt"
      4⤵
      PID:17380
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579837640277591.txt"
      4⤵
      PID:17392
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579837687940046.txt"
      4⤵
      PID:17404
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:11972
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:19376
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579837744362386.txt"
      4⤵
      PID:6172
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579837939951274.txt"
      4⤵
      PID:5600
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579837978777915.txt"
      4⤵
      PID:5976
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579839074637091.txt"
      4⤵
      PID:5500
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579839712016426.txt"
      4⤵
      PID:5472
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579843207563210.txt"
      4⤵
      PID:3280
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579843507466942.txt"
      4⤵
      PID:17420
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:5848
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579843808534166.txt"
      4⤵
      PID:17432
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579844217534408.txt"
      4⤵
      PID:17444
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:16892
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579844630253682.txt"
      4⤵
      PID:17456
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579844816569293.txt"
      4⤵
      PID:17468
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579846092837203.txt"
      4⤵
      PID:17480
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579846392471437.txt"
      4⤵
      PID:17492
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:11316
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579846692840690.txt"
      4⤵
      PID:17512
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579846992823764.txt"
      4⤵
      PID:17524
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579847755903877.txt"
      4⤵
      PID:17536
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579858555939335.txt"
      4⤵
      PID:17548
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:16644
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\SettingsCache.txt"
      4⤵
      PID:17560
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk"
      4⤵
      PID:16744
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
      4⤵
      PID:16956
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ihcffylf.default-release\pkcs11.txt"
      4⤵
      PID:17072
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VDZ45OC0\known_providers_download_v1[1].xml"
      4⤵
      PID:6076
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VDZ45OC0\update100[1].xml"
      4⤵
      PID:5644
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\squaretile.png"
      4⤵
      PID:4720
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\tinytile.png"
      4⤵
      PID:2248
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\squaretile.png"
      4⤵
      PID:17388
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\tinytile.png"
      4⤵
      PID:17488
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\squaretile.png"
      4⤵
      PID:6500
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\tinytile.png"
      4⤵
      PID:11976
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\7603651830\squaretile.png"
      4⤵
      PID:3012
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\7603651830\tinytile.png"
      4⤵
      PID:16392
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{9be7308c-a8d0-45d4-8b98-7eb221672917}\0.0.filtertrie.intermediate.txt"
      4⤵
      PID:16520
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{9be7308c-a8d0-45d4-8b98-7eb221672917}\0.1.filtertrie.intermediate.txt"
      4⤵
      PID:17736
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{9be7308c-a8d0-45d4-8b98-7eb221672917}\0.2.filtertrie.intermediate.txt"
      4⤵
      PID:7344
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{a0c1c275-c729-4c36-ba65-1470eae44acc}\0.0.filtertrie.intermediate.txt"
      4⤵
      PID:6372
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{a0c1c275-c729-4c36-ba65-1470eae44acc}\0.1.filtertrie.intermediate.txt"
      4⤵
      PID:5992
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{a0c1c275-c729-4c36-ba65-1470eae44acc}\0.2.filtertrie.intermediate.txt"
      4⤵
      PID:16932
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{a7c18a06-53c4-43bc-b3e3-53d107e5e8f1}\0.0.filtertrie.intermediate.txt"
      4⤵
      PID:5632
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{a7c18a06-53c4-43bc-b3e3-53d107e5e8f1}\0.1.filtertrie.intermediate.txt"
      4⤵
      PID:17056
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{a7c18a06-53c4-43bc-b3e3-53d107e5e8f1}\0.2.filtertrie.intermediate.txt"
      4⤵
      PID:4664
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{9efe58e1-dae2-4eb2-87e3-f5b486730137}\appsconversions.txt"
      4⤵
      PID:17584
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{9efe58e1-dae2-4eb2-87e3-f5b486730137}\appsglobals.txt"
      4⤵
      PID:5900
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{9efe58e1-dae2-4eb2-87e3-f5b486730137}\appssynonyms.txt"
      4⤵
      PID:17688
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{9efe58e1-dae2-4eb2-87e3-f5b486730137}\settingsconversions.txt"
      4⤵
      PID:18448
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{9efe58e1-dae2-4eb2-87e3-f5b486730137}\settingsglobals.txt"
      4⤵
      PID:18464
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{9efe58e1-dae2-4eb2-87e3-f5b486730137}\settingssynonyms.txt"
      4⤵
      PID:18484
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{f2498ad6-a1ee-4cab-90a9-b26879fa10d1}\0.0.filtertrie.intermediate.txt"
      4⤵
      PID:18504
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{f2498ad6-a1ee-4cab-90a9-b26879fa10d1}\0.1.filtertrie.intermediate.txt"
      4⤵
      PID:18524
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{f2498ad6-a1ee-4cab-90a9-b26879fa10d1}\0.2.filtertrie.intermediate.txt"
      4⤵
      PID:18540
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{f5f563ab-8370-4daa-939e-05085f5b46bb}\0.0.filtertrie.intermediate.txt"
      4⤵
      PID:18568
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{f5f563ab-8370-4daa-939e-05085f5b46bb}\0.1.filtertrie.intermediate.txt"
      4⤵
      PID:18584
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:11364
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{f5f563ab-8370-4daa-939e-05085f5b46bb}\0.2.filtertrie.intermediate.txt"
      4⤵
      PID:18596
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\File Explorer.lnk"
      4⤵
      PID:18612
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Firefox.lnk"
      4⤵
      PID:18628
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk"
      4⤵
      PID:19240

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:18040

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 1064 -p 17748 -ip 17748
1⤵
PID:11164

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 924 -p 18184 -ip 18184
1⤵
PID:3820

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 832 -p 18128 -ip 18128
1⤵
PID:9876

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 968 -p 17668 -ip 17668
1⤵
PID:4468

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 1108 -p 17928 -ip 17928
1⤵
PID:6000

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 520 -p 17804 -ip 17804
1⤵
PID:9968

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 768 -p 18272 -ip 18272
1⤵
PID:9840

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 1040 -p 17868 -ip 17868
1⤵
PID:11988

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 412 -p 17852 -ip 17852
1⤵
PID:11780

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 756 -p 5888 -ip 5888
1⤵
PID:6152

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 1120 -p 17020 -ip 17020
1⤵
PID:876

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 616 -p 19008 -ip 19008
1⤵
PID:11260

C:\Windows\System32\SevenCopy.exe
C:\Windows\System32\SevenCopy.exe
1⤵
- Executes dropped EXE
PID:14168
- C:\Windows\System32\cmd.exe
  "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt"
  2⤵
  PID:8284
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:8124
- C:\Windows\System32\cmd.exe
  "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133588323408801095.txt"
  2⤵
  PID:12936
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:12364
- C:\Windows\System32\cmd.exe
  "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133588323651829980.txt"
  2⤵
  PID:6640
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:7512
- C:\Windows\System32\cmd.exe
  "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
  2⤵
  PID:16532
- - C:\Windows\system32\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:7656
- C:\Windows\System32\SevenCopy.exe
  "C:\Windows\System32\SevenCopy.exe"
  2⤵
  - Executes dropped EXE
  PID:14244
- - C:\Windows\System32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt"
    3⤵
    PID:6672
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:6340
- - C:\Windows\System32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133588323408801095.txt"
    3⤵
    PID:7584
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:6604
- - C:\Windows\System32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133588323651829980.txt"
    3⤵
    PID:6420
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:6424
- - C:\Windows\System32\cmd.exe
    "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
    3⤵
    PID:10856
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:14688
- - C:\Windows\System32\SevenCopy.exe
    "C:\Windows\System32\SevenCopy.exe"
    3⤵
    - Executes dropped EXE
    PID:6060
  - - C:\Windows\System32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt"
      4⤵
      PID:16452
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14416
  - - C:\Windows\System32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133588323408801095.txt"
      4⤵
      PID:11176
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:7124
  - - C:\Windows\System32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133588323651829980.txt"
      4⤵
      PID:6832
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:7132
  - - C:\Windows\System32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
      4⤵
      PID:16956
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:7356
  - - C:\Windows\System32\SevenCopy.exe
      "C:\Windows\System32\SevenCopy.exe"
      4⤵
      Executes dropped EXE
      PID:15220
    - - C:\Windows\System32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt"
        5⤵
        
        PID:6252
      - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        6⤵
        
        PID:9100
    - - C:\Windows\System32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133588323408801095.txt"
        5⤵
        
        PID:7572
      - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        6⤵
        
        PID:13564
    - - C:\Windows\System32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133588323651829980.txt"
        5⤵
        
        PID:6488
      - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        6⤵
        
        PID:14392
    - - C:\Windows\System32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
        5⤵
        
        PID:7776
      - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        6⤵
        
        PID:14904
    - - C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        5⤵
        Executes dropped EXE
        
        PID:6164
      - C:\Windows\System32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt"
        6⤵
        
        PID:6520
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        7⤵
        
        PID:6404
      - C:\Windows\System32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133588323408801095.txt"
        6⤵
        
        PID:8100
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        7⤵
        
        PID:5280
      - C:\Windows\System32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133588323651829980.txt"
        6⤵
        
        PID:15468
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        7⤵
        
        PID:8752
      - C:\Windows\System32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
        6⤵
        
        PID:6808
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        7⤵
        
        PID:7664
      - C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        6⤵
        Executes dropped EXE
        
        PID:18772
        
        C:\Windows\System32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt"
        7⤵
        
        PID:6156
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        8⤵
        
        PID:14668
        
        C:\Windows\System32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133588323408801095.txt"
        7⤵
        
        PID:8212
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        8⤵
        
        PID:6428
        
        C:\Windows\System32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133588323651829980.txt"
        7⤵
        
        PID:5144
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        8⤵
        
        PID:15268
        
        C:\Windows\System32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
        7⤵
        
        PID:7192
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        8⤵
        
        PID:14372
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        7⤵
        Executes dropped EXE
        
        PID:6484
        
        C:\Windows\System32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt"
        8⤵
        
        PID:15720
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        9⤵
        
        PID:15872
        
        C:\Windows\System32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133588323408801095.txt"
        8⤵
        
        PID:15612
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        9⤵
        
        PID:18012
        
        C:\Windows\System32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133588323651829980.txt"
        8⤵
        
        PID:15600
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        9⤵
        
        PID:5580
        
        C:\Windows\System32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
        8⤵
        
        PID:7032
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        9⤵
        
        PID:14528
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        8⤵
        Executes dropped EXE
        
        PID:6980
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        9⤵
        Executes dropped EXE
        
        PID:7384
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        10⤵
        Executes dropped EXE
        
        PID:19148
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        11⤵
        Executes dropped EXE
        
        PID:15192
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        12⤵
        Executes dropped EXE
        
        PID:7284
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:15912
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        14⤵
        Executes dropped EXE
        
        PID:14932
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        15⤵
        Executes dropped EXE
        
        PID:19080
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        16⤵
        Executes dropped EXE
        
        PID:15204
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        17⤵
        Executes dropped EXE
        
        PID:14540
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:14980
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        19⤵
        Executes dropped EXE
        
        PID:9428
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:8668
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:15968
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:9020
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        23⤵
        Executes dropped EXE
        
        PID:16292
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        24⤵
        Executes dropped EXE
        
        PID:8828
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:15732
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        26⤵
        Executes dropped EXE
        
        PID:15884
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:15780
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:18184
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        29⤵
        Executes dropped EXE
        
        PID:8348
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        30⤵
        Executes dropped EXE
        
        PID:9336
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        31⤵
        Executes dropped EXE
        
        PID:11912
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        32⤵
        Executes dropped EXE
        
        PID:15300
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        33⤵
        Executes dropped EXE
        
        PID:17132
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:8856
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        35⤵
        Executes dropped EXE
        
        PID:15416
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        36⤵
        Executes dropped EXE
        
        PID:5396
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        37⤵
        Executes dropped EXE
        
        PID:19176
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        38⤵
        Executes dropped EXE
        
        PID:8680
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2592
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        40⤵
        Executes dropped EXE
        
        PID:16372
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:12052
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        42⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5660
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        43⤵
        Executes dropped EXE
        
        PID:18520
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        44⤵
        Executes dropped EXE
        
        PID:9796
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        45⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:15400
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        46⤵
        Executes dropped EXE
        
        PID:8708
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        47⤵
        Executes dropped EXE
        
        PID:17808
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        48⤵
        Executes dropped EXE
        
        PID:8768
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        49⤵
        Executes dropped EXE
        
        PID:9460
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        50⤵
        Executes dropped EXE
        
        PID:5552
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        51⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:11508
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        52⤵
        Executes dropped EXE
        
        PID:16920
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        53⤵
        Executes dropped EXE
        
        PID:8540
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        54⤵
        Executes dropped EXE
        
        PID:18008
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        55⤵
        Executes dropped EXE
        
        PID:8964
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        56⤵
        Executes dropped EXE
        
        PID:10720
        
        C:\Windows\System32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\New folder.lnk"
        57⤵
        
        PID:1492
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        58⤵
        
        PID:12000
        
        C:\Windows\System32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\System32.lnk"
        57⤵
        
        PID:9348
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        58⤵
        
        PID:9508
        
        C:\Windows\System32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Windows.lnk"
        57⤵
        
        PID:9852
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        58⤵
        
        PID:9576
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        57⤵
        Executes dropped EXE
        
        PID:10036
        
        C:\Windows\System32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\New folder.lnk"
        58⤵
        
        PID:8252
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        59⤵
        
        PID:10464
        
        C:\Windows\System32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\System32.lnk"
        58⤵
        
        PID:7956
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        59⤵
        
        PID:17232
        
        C:\Windows\System32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Windows.lnk"
        58⤵
        
        PID:3568
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        59⤵
        
        PID:18916
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        58⤵
        Executes dropped EXE
        
        PID:9300
        
        C:\Windows\System32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\New folder.lnk"
        59⤵
        
        PID:12552
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        60⤵
        
        PID:14832
        
        C:\Windows\System32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\System32.lnk"
        59⤵
        
        PID:6104
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        60⤵
        
        PID:14940
        
        C:\Windows\System32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Windows.lnk"
        59⤵
        
        PID:10292
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        60⤵
        
        PID:11524
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        59⤵
        Executes dropped EXE
        
        PID:9976
        
        C:\Windows\System32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\New folder.lnk"
        60⤵
        
        PID:9728
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        61⤵
        
        PID:9676
        
        C:\Windows\System32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\System32.lnk"
        60⤵
        
        PID:10760
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        61⤵
        
        PID:10024
        
        C:\Windows\System32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Windows.lnk"
        60⤵
        
        PID:9972
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        61⤵
        
        PID:9928
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        60⤵
        Executes dropped EXE
        
        PID:10956
        
        C:\Windows\System32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\New folder.lnk"
        61⤵
        
        PID:10608
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        62⤵
        
        PID:17964
        
        C:\Windows\System32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\System32.lnk"
        61⤵
        
        PID:11756
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        62⤵
        
        PID:18856
        
        C:\Windows\System32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Windows.lnk"
        61⤵
        
        PID:10688
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        62⤵
        
        PID:5924
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        61⤵
        Executes dropped EXE
        
        PID:11664
        
        C:\Windows\System32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\New folder.lnk"
        62⤵
        
        PID:10908
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        63⤵
        
        PID:19380
        
        C:\Windows\System32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\System32.lnk"
        62⤵
        
        PID:10992
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        63⤵
        
        PID:16820
        
        C:\Windows\System32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Windows.lnk"
        62⤵
        
        PID:12164
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        63⤵
        
        PID:17884
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        62⤵
        Executes dropped EXE
        
        PID:2724
        
        C:\Windows\System32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\New folder.lnk"
        63⤵
        
        PID:10332
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        64⤵
        
        PID:11480
        
        C:\Windows\System32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\System32.lnk"
        63⤵
        
        PID:9376
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        64⤵
        
        PID:12312
        
        C:\Windows\System32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Windows.lnk"
        63⤵
        
        PID:10544
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        64⤵
        
        PID:10528
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        63⤵
        
        PID:11776
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        64⤵
        Drops file in System32 directory
        
        PID:12460
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        65⤵
        Drops file in System32 directory
        
        PID:11828
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        66⤵
        Drops file in System32 directory
        
        PID:10416
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        67⤵
        Checks computer location settings
        
        PID:13952
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        68⤵
        
        PID:18576
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        69⤵
        
        PID:780
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        70⤵
        
        PID:816
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        71⤵
        Drops file in System32 directory
        
        PID:12488
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        72⤵
        
        PID:11928
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        73⤵
        
        PID:4636
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        74⤵
        Checks computer location settings
        
        PID:11236
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        75⤵
        Checks computer location settings
        
        PID:12088
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        76⤵
        Checks computer location settings
        
        PID:11148
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        77⤵
        
        PID:1480
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        78⤵
        
        PID:5996
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        79⤵
        
        PID:13448
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        80⤵
        Drops file in System32 directory
        
        PID:12112
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        81⤵
        
        PID:12712
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        82⤵
        
        PID:11216
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        83⤵
        Checks computer location settings
        
        PID:13884
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        84⤵
        Checks computer location settings
        
        PID:3640
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        85⤵
        
        PID:14324
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        86⤵
        
        PID:14276
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        87⤵
        
        PID:14344
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        88⤵
        
        PID:5868
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        89⤵
        
        PID:10500
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        90⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:12940
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        91⤵
        Drops file in System32 directory
        
        PID:13224
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        92⤵
        
        PID:6940
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        93⤵
        
        PID:3912
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        94⤵
        
        PID:12724
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        95⤵
        
        PID:14364
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        96⤵
        Drops file in System32 directory
        
        PID:13576
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        97⤵
        Drops file in System32 directory
        
        PID:14488
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        98⤵
        Drops file in System32 directory
        
        PID:13800
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        99⤵
        Checks computer location settings
        
        PID:14320
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        100⤵
        
        PID:13812
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        101⤵
        
        PID:13968
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        102⤵
        
        PID:14004
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        103⤵
        
        PID:13764
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        104⤵
        
        PID:3872
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        105⤵
        Checks computer location settings
        
        PID:19324
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        106⤵
        Drops file in System32 directory
        
        PID:13540
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        107⤵
        
        PID:14852
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        108⤵
        
        PID:13228
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        109⤵
        Drops file in System32 directory
        
        PID:6796
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        110⤵
        Checks computer location settings
        
        PID:13620
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        111⤵
        
        PID:11780
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        112⤵
        
        PID:16464
        
        C:\Windows\System32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
        113⤵
        
        PID:17960
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        114⤵
        
        PID:6280
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        113⤵
        
        PID:5496
        
        C:\Windows\System32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
        114⤵
        
        PID:18496
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        115⤵
        
        PID:12440
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        114⤵
        Drops file in System32 directory
        
        PID:18764
        
        C:\Windows\System32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
        115⤵
        
        PID:17056
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        116⤵
        
        PID:17112
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        115⤵
        
        PID:10520
        
        C:\Windows\System32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
        116⤵
        
        PID:16148
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        117⤵
        
        PID:17064
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        116⤵
        
        PID:5524
        
        C:\Windows\System32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
        117⤵
        
        PID:1404
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        118⤵
        
        PID:18408
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        117⤵
        
        PID:11192
        
        C:\Windows\System32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
        118⤵
        
        PID:12520
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        119⤵
        
        PID:5608
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        118⤵
        
        PID:16544
        
        C:\Windows\System32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
        119⤵
        
        PID:16860
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        120⤵
        
        PID:11644
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        119⤵
        
        PID:18108
        
        C:\Windows\System32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
        120⤵
        
        PID:16396
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        121⤵
        
        PID:16484
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        120⤵
        
        PID:17676
        
        C:\Windows\System32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
        121⤵
        
        PID:17704
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        122⤵
        
        PID:16760
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        121⤵
        
        PID:11036
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        122⤵
        
        PID:17428
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        123⤵
        
        PID:18996
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        124⤵
        Drops file in System32 directory
        
        PID:17752
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        125⤵
        Drops file in System32 directory
        
        PID:18216
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        126⤵
        
        PID:5752
        
        C:\Windows\System32\SevenCopy.exe
        
        "C:\Windows\System32\SevenCopy.exe"
        127⤵
        Drops file in System32 directory
        
        PID:16784

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:18548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt.420

Filesize
16B

MD5
ff0e78e03a447f07d873a045010229ac

SHA1
ad194bc56d7eca6c6aafe99a89b16c69661adfd0

SHA256
c5cf6b6d7097258604d15a2ecc95ba6e3e848f5345f3e337f6042a6b1d21f88b

SHA512
0639989a345ca466d78c0f29c5e2656d8880e6986884bcc7227522d5c26996677cccd8367e5871a3b022fe18d3d084390bfa6cb4c24364cb0732c6de8f2936ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml.420

Filesize
2KB

MD5
79c6d2f86802a292f41fa3c385f61fae

SHA1
c64a66a9a2f645bcb309ea9d10813f557a05294f

SHA256
5910fcb4482dd12e202860f1fc72fa144aa27b390fa275901092f9214398fe9d

SHA512
cbe4311403e3bdc10e33ca0ff2d8a380346769a01a9cddfce292eb5da3ef506a47570f301868acc7bf4e52b1a483dc984b9f35bdfbaea976f3da388e099bc6e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.420

Filesize
6KB

MD5
aef715c2174210b8e238c91b03940492

SHA1
cec87417cd3f203304b3840ebe9b7121c78e8f61

SHA256
9c3e1ea98f01c2348588951a3dc29108e57237861443939a98439f19c2f3c6c6

SHA512
fbf68e73bb94a7152e9c34b19f5d0656c57da639033829d6fe0c52113bffc36f4d5352bbff9278ffaf0031445429a5ca623e7f19364a87aa78769b21d985d326

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml.420

Filesize
321KB

MD5
585002fd4d920042c3df96a55b15265e

SHA1
8a3460d110c788735ee5318452be9d66e26cf803

SHA256
012a9ca399cafc89ce6de583f6759e283aaa6ace0ba18b879a70e67c71cd28d1

SHA512
5fdf32a7e064818cc8d3ce3dc3f12c11766630f76d58f93e7b0f44e093175cc2e584d34f05b85ac13747a1db297fe1e4de59333caa8daefd1900abfc43842d59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\msoia.exe_Rules.xml.420

Filesize
560B

MD5
ce7a2191490b33f6635bf3172acee6d8

SHA1
f02feff3160bca6d14b7169de2cb713c2310630b

SHA256
b9166a5fb3af0a1ca977221e0cd131e4c33a6bfb7e48bdde79822e9d69592784

SHA512
c801dacde4163bdf7ed6c21eb13e5acf2a7ce71b3f6f5a003e58f8580f2651b7adc543a3e680da9183262a1cb87bb796762b8ae86a1c8637cddd1f937f5231ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\office2016setup.exe_Rules.xml.420

Filesize
100KB

MD5
6df18ce09245971e338740f870084394

SHA1
a40043b2edff084d0524361d9854440eec48dede

SHA256
c5da6142ec5f836293652b73c9bf8fd91847c35f16cb5956e188ec6a7b1c0315

SHA512
f345482afaf6130cef932814a0dd957fb0c7ddf88190f634c911c4eb909a9f8032cf834ae898875a5f7a61df7a5669602cf1a426145e6a1902433477d86eeec8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml.420

Filesize
130KB

MD5
971626d372e843e06a467e87531980b7

SHA1
afc29ec325c6cffe180db538f1ea37f084b5cc07

SHA256
4869597258a3ae224079a5ff5d841113e544af2403c4911e9c1776d811ba149c

SHA512
796f07f0e93ce9deebe926f6d24f843cf572a0fcf14e156629768d612cb01964fac9cd258e992894556c8bef13c63f0f19de88aa8ccdd6896b45045c66459413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\onenote.exe_Rules.xml.420

Filesize
270KB

MD5
85146fe4b4856a1b57a6172c66bbd2c9

SHA1
6c9bffc717198baad4466b6ac7faf1588de5118e

SHA256
8666046bf445502116e8b34da531e987589159616ddd727fc4623c8f3f0f2fea

SHA512
42561081193f7720810936336fd3dddd1e08e2ca6ae39751f124a8798282eb7972f42acffac320d5d6adec84b747de2ce86117b7117e9675d2338acd2f5667ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml.420

Filesize
333KB

MD5
b2d58c31fa5c5e0610a191cd225ddf8c

SHA1
162d4827ae036ed28d1a32ea1432717278a043fb

SHA256
eca3a52060f14ed8976fd20828d69c0acdd26f7e575d8f5152fdd371329f35ea

SHA512
7382ff2ea0df08e7d65ee254f688c4b2e084f2ac664731f53c0afe2f30e1f1ddcafcc7feda0521cc9d43abf8aaf7164e52bf13782cf5281928398e8d82b9323b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppBlue.png.420

Filesize
5KB

MD5
7ddfa22afa17b213b92a2d706cedb7d4

SHA1
3ce6e66634953a4676609f17dd7c917288151cb7

SHA256
568c811db6c7f33dce5723a3e73934cf7639f6fbffa43f2699ecc471953d083a

SHA512
119b92a454857cedb6707217f2f59d886ba075b5585616343c86708bf78a6e299a34b7d1a66471feaddeb970197be5a0a0cc273044762c69eae1331b1acf5860

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorBlue.png.420

Filesize
7KB

MD5
af406b2f60e1bdc11f38941d4c8ee789

SHA1
c2a5e8544d6d052f31d4be12b56bcc79c7075228

SHA256
f2f3321fae628993beeb9510f3413887be214dd23d438c59ee4fc04ce5577e19

SHA512
06d53eb7a72a654613e6d6c950664fe6dee076f14fa5bf454bceb658e5c02c00f183d82374587e9c3bddac9a7c224db047fbccd51551a29e18feef59e753c492

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorWhite.png.420

Filesize
8KB

MD5
20212b619de20ca8036bcfa143b448a5

SHA1
257258f87b8b35b6269a59f62832d91e978dcda8

SHA256
56567fdd908eb6c58aecf155741eca281ab127131056baba63c25b5882160180

SHA512
e427ae838380b97dd33d4bdd507bacac8788aabd095223d5f73b4ccd341d10aca6eb9b9b1da51adb78666cfe3746e5847e71103464bbc9b55c802777f14593da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppWhite.png.420

Filesize
2KB

MD5
117b11840457bb459a7de042aeaf905c

SHA1
e8ea99d0a748a512e3a6d8b8a3954ec2dfb9f549

SHA256
c82ceb7025d365cb99c623060b4676c4b8c61393818ff5cf48ae51dc5dee4dd5

SHA512
20a3d7c86d4d5388c4a6a2d91067b3d7484e5506422747e77237ad31f53f8af407919f12468975402a9fba1d91e0c2f03f316a2b2224d87e56e87facfb022165

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.png.420

Filesize
10KB

MD5
3bc42eb1eccdfafa617b61474724dac2

SHA1
6a26940a2e23be374d418ec2ec606b50f84bb0a5

SHA256
88cd551ed0c80aea22a7cc6bfb3bf7dcb9f49abc7b7bff007f7532157f1298c1

SHA512
08a12861bb2320022298b5f1707f245671ce8a46766b4700f47a66d6bbeab79285d156ecd6fb32058ebecaf5b8a52691f4a6801177bfc3867f865130e5a2d678

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppBlue.png.420

Filesize
7KB

MD5
79aa301d332168d9ecfba9705dc6f18f

SHA1
f47eb9382e85cf252f7ba4fcaa983e71d9031097

SHA256
90662bf8645df521077b9de4fbb61b355791f2b7638d0250b6b0b21c3b5d418b

SHA512
2819fdb2dd5851bb19455176ef6016ae44789552632cda589ad07c89d54f1c8b91f00f0c060ba83b64946b8973463441eb60f82835d2f4b95ac22a5d2dfc6e78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppWhite.png.420

Filesize
4KB

MD5
3dff36784bd6d115206129782508df22

SHA1
b84b2cd5fa681000cfe543e09e0cd1af0e0e2645

SHA256
2a43eb1ff6700e2111e4737de83ea2af08c9bd2369dbd3253cfd6c2b7d0db60b

SHA512
5c5e2378920f60f91f5f512c04ef63f5b056c03a90be965bcd5c293d7f9b39c9d292ff9f8e037f8aef98d3ceaa7d8bf5545d23713fd24076c2eecf2823ea76df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Error.png.420

Filesize
7KB

MD5
6482ceacd5de556c906e9174ea213ac4

SHA1
9656e3a8e1315f109c3f4cc4d7df5427919ed736

SHA256
8d789177af9a428e3e035d4b574983aa577d227f341b12800d0a4dfebc20c84a

SHA512
8c7dd9b2fd53b38b20f38a1cd79d1c7d63c93f6d50fa12b81856cced8ddba7b840e50dc44a927d56f7553e5b6436d352abfedf5b885328ab65af8992781d8d2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ErrorPage.html.420

Filesize
6KB

MD5
a3a2e4e16aaaa6cca6e15f9c90eb7dfe

SHA1
54e9f7ad2b8e11526c7006dffe24cb2376d546ba

SHA256
5ba1dbcb7f628236eb28138e59539ab100dcb9c6c8dc58970780edc8deee4e6e

SHA512
830788686f299d92dddb14c23b5fe3161d438362a7a235ef74ae3fb6cf6043bf39ecc91cbd4f28c605198b8982326ba38f975f525b4375ed146c8acc642e1b04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMHeroToast.png.420

Filesize
14KB

MD5
c7a6875d4b6bd830b490da8514d4ac8c

SHA1
5cf2cb12dd45468f56c07fdda90066982bb21a41

SHA256
5d0cb829307b1ac8ed6ce598bfdc25a10bcf31fa253d78ff65576472e21c7aa8

SHA512
245b0a07e81f2bab9ea6dad29629059e54d83940dbf90b1caec564733c29230380e25e87f06f48da04ff653236fa46dc168bb6bc65a96e8b20663e432f5f84a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMLockedFileToast.png.420

Filesize
10KB

MD5
ae81ade97d2022bc559f821233eaf251

SHA1
4d2db669aed5219ebd52b0275dfcbee823364006

SHA256
51ef1bccb57ec7f93b6e4e6aaca6234b3d2e1fa7c88af2e3b24b7635bf73ff3b

SHA512
a662848e8eb903f3183c4e6c8d72f7200c6cdbd284c7427652d7ea786de624d330e542ecc0965d9988a1e0dd32756208119ecd3d709ddb6be4f75f1b5451f561

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMScanExclusionToast.png.420

Filesize
10KB

MD5
f5d45c66151be312d7930f8dd76d263c

SHA1
39607f30eab1acb130a6f3bc33826dadc791a3d2

SHA256
886066767cd98f0571bf04e7028232c05e670ba855de71fa9f29c5d217a96bd8

SHA512
719ed3b7fcea5153beb0c7b310b39f249a2b6e043e24bc501435478f5e5fff37b65d0787aad72de377fcfd6ee7f783154ea53da48e513b6d7add850c83d4c492

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\LoadingPage.html.420

Filesize
6KB

MD5
c3588d56a93318f10a1f793601c624dc

SHA1
c86a79454eec483d8af919daa89f11650ca89535

SHA256
80483d2a355989aa4caad3b74ea89a8e7a85af2e693c11ebf968bab3637dd668

SHA512
48079d6cae5d6128fb1ed2531d1df0dabe08fb758edf6091be2d1c745c105062924b15ed23e024d52be0f44bf64d86defc6ca6aca67588749262382a23c94fa6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveLogo.png.420

Filesize
4KB

MD5
2137052f3a4740453eef134d833fe515

SHA1
899afc8803980257f87f68fce70526f44e4681cf

SHA256
b9f30902704f6f64d5f9677182f9021a43e57a03bf72729bcb4d7b4e59f902d2

SHA512
8f39d8c36087f04695360cc7321ed275ef2df6dfa5d5d139551e0096dd4659058165db778d936cfe81e2ee6cf42d672efadf664d0840617c7cc11c42c493463f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaCritical.png.420

Filesize
8KB

MD5
5ac6e918f45de88df57be721161ea6b0

SHA1
99a9798c124b034be5c62013d6b0ca141d1d3562

SHA256
76a0f92020287fd0c32485b054fd08ab0bf8248f3fe3ec7b50455b22ab67ea05

SHA512
932321e9768b216971ec621a2fa884351cca2baef5226e0b5747d0709b851ed09ba3f2d33306a1cd2deb9f4ce4b33227f36bc16468668b7c71b632a974a44c6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaError.png.420

Filesize
9KB

MD5
3add9f876b690d3d8e2960d9a9c94a5b

SHA1
e8c47cc3c90b5ab817be43aedfff0fbbe4011f62

SHA256
cc7ed7956b82eca55f9c4baaf1e4b37bfce9397b859edea361f1b9c3903a6ae8

SHA512
44a4804b2147d40e82b2d408354a0fa733744119e4beb8cca5366a604db87b48fd3a92e1ffdf15664d6dac14b1110af5e1b7df496d54b7c42d8d262ac67b8385

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaNearing.png.420

Filesize
7KB

MD5
072f453a89a4d3038e6cbd578a6321c0

SHA1
9441cd7523057c477a1968b7a91fb9dd21194820

SHA256
681b66383128c1a3ac22997173fce26ff2de8ba5b809e5f960b8a680767b56a3

SHA512
faa4fa5355d6c1346a48f79d3b12bd9f993d9df404ed11c31fc007eb482797a4acd6393a306685beef1519dc0724af187ca81eae4bae3fa00d1dc363cdff2040

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\TestSharePage.html.420

Filesize
1KB

MD5
50f45ddb88b60bc37c52c35948da6226

SHA1
20e39190857e0247db2cdf7d2e55b438f09e0397

SHA256
7cbcfe19dc39c2883117b0372707f79b083d98bcbd0dd99e45d3821125a09646

SHA512
e2e9c3486bedf3e0ccef99856ebdfaf7226e5a47004ea129bda2df66ee0d29ce9bf520d8097cd6b7b7923497298a4a4f0abb623b7905f89408e4014d4c6e8c24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ThirdPartyNotices.txt.420

Filesize
47KB

MD5
2bbffea67fd3664e3428d14f1b21ae9f

SHA1
0c324e5ff82f8a1e5b3e70597f71c263cbb07b6c

SHA256
89e64f11995f8f665bc064c907d33fb86cba32653ba256ed847a51bf89a91c30

SHA512
45eb9dce53dc40117dd5c38aeb1c8e4ad3bde1f7a1bac5e2e38e708cdbb09576ead26cdd807b21bb820b9a5df11901a3e615cf76946c03a0cf16ef3b734a7346

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Warning.png.420

Filesize
2KB

MD5
65213d2df4e3bc35bcb0e2085d1546ba

SHA1
4d7721f81ff9097a76698f92e1a5656dd226c9a5

SHA256
fb446df7daca5f6615250fe0873de17ab96b2d668f21959e0a57e5ed56f10280

SHA512
5099c07b3db82f3d371c585307b0060fd63e93769d6714f1ae72ace9639c3bec328d270ac9e6d644e4c404ad128d1bcc5dadbb835c6421be491186bc20b1fb7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\alertIcon.png.420

Filesize
720B

MD5
7292c68b20c58e9c78acb05ca8c9d56e

SHA1
e01722906f89a7a3a728c8c385ac9d306bc485ad

SHA256
14cf318ff227a7a73e5441eb91cd513fe134714b58a8b1863495f3abe4ab2f71

SHA512
95c0da6794cee8c658d1f9bed5b303e2b4f861c979b598f69876bd57ddc2e31fd03996ceed01253783bf5f4d8c9fbe303514844633c14f2286f083781099b425

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-125.png.420

Filesize
864B

MD5
1c58bf2b6fef0f0adabc8525584ffa1d

SHA1
3a32959040b3527078de824bdc16161d64949f17

SHA256
5b478d42e551d6185f46cdc7c2b06b0a647b41c9f10e3ee374556fe0f9216da2

SHA512
953f108fd4de1e7d1723ea4f16aeba03d46eb03c0871b4e8635362006af41ff0a024083a80ebbeaceae5a681455beeb8b33881d6bc459aa1ea087a807ad41fa0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-100.png.420

Filesize
672B

MD5
9f2e878913de5bff04dfd1dd8ddb6b3b

SHA1
e74011551ae3f123fd2eb5e66647b6072da72e92

SHA256
3c6ac633b8bc9e6b89157274c1648a9dbf33a9095ec7ded4394cca7b5a65d29f

SHA512
ad3e91a784ad7449e47f90eedd18da65fed6807232b9ee05c89e831a0a9bda2fedb7f48ea68fd9e756a4ecdb866c275612ea2c67ada16d3c79efc83598aa71f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-125.png.420

Filesize
880B

MD5
5bd745aea264e813f912c2bd0252e62b

SHA1
8c8b6864e33f1da7143e59105eb998fcac0f1f9a

SHA256
66d31d56a6cb5f029874dd61f50f36f76f6bfa66ccf3a29e1ad24ba08fa3a964

SHA512
f2a90c1e2ae5d58366726cca2da2334f1490f465dd964c8091eba544a298374eccb57a989c518aaa0a2642d3459d8cc685f819fba052f38a9a8a5b1f1b038937

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-150.png.420

Filesize
816B

MD5
24ebc50ecbcd6bd5670b2350add1462e

SHA1
8c9552c44ac46ffcba1e6fbce839b542428fdd51

SHA256
de209aa977927a0cd8507d4d8a776fded8c690b82cceef338cfdb708fb85d24d

SHA512
f75a19137f81cf51d2ba01ca13a0ea27cdcc281821d5ed4626949ff0e11c1ef6f5a52aa6e3404bf14cba766fb9335a448c03c08987db8f668ab3e81d1d8fd09f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-200.png.420

Filesize
1KB

MD5
b57ec3a89c6726bc15e1dc35826f6578

SHA1
1f6f531db4b88e294bc3289fc7596edd7121a5c1

SHA256
20502faa3bfa98955786c303974aadba89cc512d4ccc39d92df7a135da11a1a1

SHA512
ac01200b80cf80be4fe3349c30660a813d54a9c61631d4fb73942cef3e0c708434591bdf12390decd13b9fa15173db08be7252733eda40b10181725910ac70cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-400.png.420

Filesize
3KB

MD5
6cf9e15ec355952ab508245ed98676d6

SHA1
32634a4d1966b7600934adaefa5f197236b81600

SHA256
75ba529ff811da0eb8164b790bde9c91df14df3128f65d7a94857fbc2b02a180

SHA512
c0c8cdcb90387f87eaea40b682bb9e54430afc3ca917d7292ce1e3127e8538d0c92ce96b38f447deda30aaaebd4b5f653457de8ae35666cb05defb361b1f53d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-100.png.420

Filesize
656B

MD5
236cd2abd158f2bd276dc0f8d91e8ab6

SHA1
793fad5583aaf119c46c3683cf139a19e87341cc

SHA256
530afdda1fd2319112eb9a2695c8ade5830519d9999fc8fb1bb9c556b483ad33

SHA512
c2028106029196b4665be0ed9a5662453ed7ab4d91f34d4e6f527b84cdbc8245f7516f128055d17ba62928953a48bd4fc2d21b6a9177fbc53087b180f08f7310

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-150.png.420

Filesize
992B

MD5
c455efbd6bf02c728bd34fc5609f24e1

SHA1
a0c67cb44a5bb33de333221b771058fc163d9a52

SHA256
cd770dfeb9dad9c406e163381448e6628bcbf3aab3614c4083f2a50cd767c0cc

SHA512
644edb71ff2ec0bc5d983cc907484f167931c0e591dce7ebc3cf74220bbb551f280e6d7bf732ac25b517b3ad929cdba5a8930eb01bffaeb71bff12157b58733c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-200.png.420

Filesize
1KB

MD5
7738095d6f7a265d783fbe963094d5b9

SHA1
520782fcc3f82a1f781502af95fcc96e24c3680a

SHA256
a016c9c5d952228e0c68ea9be6aea5c513f35f9a2c728639ca49ecf91a89ef32

SHA512
1e612071afac4b13c388ad73a7111e813a9d86a41d8d51580678301bce82a51a9039d7448abee408fe24870b3adcb484751afa6120e48391d80af2dfe3cc04ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-400.png.420

Filesize
3KB

MD5
755de4fffcc51b6c3a30bed550da85ed

SHA1
d46ba3e3e4d96470dc2821956ee0ea8de3c62fa7

SHA256
48ccdd744a8d844b30519df4c44f0f2feb8225737cf359946caf4c7b4cb3b7a4

SHA512
9eeb945e25a9fc1d6b1f3beb3fe899534b6d2697c2b4666f8702562273644822d622d8e6bd6d8b11382857d62b2314513f1adca76b7af2b43ee5c3f88184a77b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-100.png.420

Filesize
416B

MD5
58a51a59ac81f45b8236a77f17794537

SHA1
459088c0becf03c86e8a55006911815339f4747a

SHA256
ba115c59d79444dc7493bde8a967e97eabfcfb4060114c0bf9df75fc2935bac0

SHA512
5f95b80eb58476d905f3b7bde41e95d97b33c2da4318bcfe5622710e7d9bb698048d6a03fd944dcab3a014b7dcb00e1f16cd1f9b1d04f9ccf30a1ae4563f4d4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-125.png.420

Filesize
528B

MD5
cf5053be384f13da0be8137420601a41

SHA1
0e3c7aa31976d39022a44cae57da29932590a68f

SHA256
af84ffbbe2f21880d0ecfbda3a9a2c55ebb1c18fc684beef2c454ef7241e9b87

SHA512
5461e02261429f2da6ec8941839fa0aba6b5a4873c1b946ec8639512dc34b74910efdc96c832d340d1d93e379313faec1be2b3686f75d21bb2555a40477e7cdb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-150.png.420

Filesize
592B

MD5
2ccd22e9453cbe16eb6d73acc1b12022

SHA1
5cf003421c00af48d49eb75557c9b8591d8db8a1

SHA256
295f119c3f90a683604c8f797bc587545774a05ab039f25e4d1cd3bd2a12ff20

SHA512
9f01eab806358da5f1a27e4cf62ea0300bd6be239f8a1de68d2b7d1dfad72d39652f2bc3c48fe6da683bad871708fc25d3d8e57a85a27eef5fa4bc582a2f91c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-200.png.420

Filesize
816B

MD5
e4f1e528c3448767cf6dcab28c55a986

SHA1
a9264ddc91b747c99f6268607a813b71aef70601

SHA256
06993acea62b4063447ed286de823c27f0ab731bd2a21a47aba796c7064641ff

SHA512
d6007ae2eac25ba3f7642d7ff92dd8874b6b8814a26ad5d6a1dde7970ade7f3bdd01b7a5581402edb8b299e74901256a2094105c4676415634fff0971d54c1ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png.420

Filesize
1KB

MD5
017629e9f1b526457625d881479b8049

SHA1
8b1a7e73ca091330a30e35e74f0abbba5689494b

SHA256
415ee601a4b31058cb6e7f37666eca90dd893009fe431d98347f52f2d744d6af

SHA512
3715969ad196e40c90f244951ee735066e97c13d34ec4182797b8013cc19a520872f48397161bf64973935cef689deb796e7f1d8781b5c4fcbbc58767973ba81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-100.png.420

Filesize
432B

MD5
837b697ea6dd6e8eee21d59fcf9f971f

SHA1
c6a3d8323222e04a5e1a04ee7e3b7f1a4b2bee24

SHA256
29078aac823d4fbb85434d48d02e26c579abc6d69aa9337d4618a0d0ed604399

SHA512
f647c31b4a480bb173fd6170f3a82b4ed154b18a7ac3894db1e439db8ebf0763f8757fe7f29e9be69a076fd9e797be5d5bb83dbb64b6b099c2591d42e0d2b2d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.VisualElementsManifest.xml.420

Filesize
352B

MD5
83930b510ce271650edd8d5e457fd006

SHA1
9b4a2f832b345311ecd0cc5aa073f4992db964b8

SHA256
ae915fa3382bd04ed86f8b628a2d2c9232c9119e3e02098ea926a4e7f1ae41f3

SHA512
b11219dec88c6018eeb32a53b85516e4400f87a19ca215cdd0523750adbb748728903c3d52f88525ed4cc53827d634502c981e0fad453cef205d0599208970f3

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{f5f563ab-8370-4daa-939e-05085f5b46bb}\0.1.filtertrie.intermediate.txt.420

Filesize
16B

MD5
e8aaa566651759e399714d464cdfb390

SHA1
373942a3618c8d5ff0ba8aab8e22d4a64e5641ae

SHA256
1a4a61c3ade192d7f35bb5879ba1493ac39369579eaf9f73c72c44a9ecfa3a6a

SHA512
23f835ffc6cfa06b864ee0f945dc844cb88aa1b0ab3cf2d0f8bf616c9a7446a563875ebd04f1b23d86d5a20ccc1a2cacd3e199c228cd73e8652c6f9e34b55ce2

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{f5f563ab-8370-4daa-939e-05085f5b46bb}\0.2.filtertrie.intermediate.txt.420

Filesize
16B

MD5
209371fb985ae536f7a01b2cbf06fdeb

SHA1
6e5d735e5a6aef442f3342931eaf47d505763578

SHA256
4cef54ede857b123a2b675fdce8147dbcc1a7c4d471ec5bfd8791f9e2ad9c0b3

SHA512
53203c3447837fc04d0114f282e5b1efaeb1e81a90a9d50bd6384bd44823ab70c37f12aca73a52f803ba61a11ed3d7fd05ea04f79fc969212dce946df89b8bbe

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579837687940046.txt.420

Filesize
77KB

MD5
f02236d4405a64d5d517446b74c7d9e9

SHA1
916bb004951fc6c239cc710aeceaa2230b0bf19d

SHA256
4bfc4df0bdb17685d97b9926b56ca29ed0ad4096ec9d94a6b2043e2c72a04c9b

SHA512
7717eb30b6636be3b1293449c91abdbdbff7ec7c4bf869818814dbef1d7ea74ec33ace21f3a805fa600bd1db2c1a8b5d6c4792d4f39c3061a40b3d0e0b619080

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579839712016426.txt.420

Filesize
47KB

MD5
22e53dc5709ced95e3c83af5804336a6

SHA1
0163069ed72c9616e06d8997c1f5d7fba597b0e0

SHA256
a128f39f65bd1068191be32727905f92217b625bde930a65ffae3250ec557373

SHA512
ce53d6e40b75737475193824dba4026508f9315be3a79698c3f5529863fad78bec5456b7e6f5971b08d5df5d753bc3dfe83dfa0aecb180d67ce970f6f2ef8dea

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579846092837203.txt.420

Filesize
66KB

MD5
4a90573d4e1350bb3cb06a825fbd66de

SHA1
3f3ce3606d802cd06dda067fa2a07dfa745c90df

SHA256
5a74f880421a86087c44f74e3c105c9ec4fd4b1eae138984644c3d51d3e55242

SHA512
b09feba996e833c149a309cb45f56e79998cbdeb7fce71c15ef99a1615468aa62fd4c9b1cf3a4f802c27558a75db4c0885f84d65b1fdee979abde314d07c208c

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133579846692840690.txt.420

Filesize
75KB

MD5
ab69555e8ae9d8ff1de5605724761c5f

SHA1
3e09f9b5cfaf45fb19a8ff5c3ff884f570015171

SHA256
358df7dc00b3290428a7551c7ea07259efbcd6afee694654809819d1ef6604e5

SHA512
5c372847305cf5157b59e0479367560e3e36291055c93f80e41c33d2a711d35d2009cf314b06ec0c5b925d690957d14ee86218d9b4f9afb1d8883f70cd05793b

Download Submit
C:\Users\Admin\AppData\Local\Temp\BroadcastMsg_1713510733.txt.420

Filesize
16B

MD5
bea21141aa401823a718b5744650822b

SHA1
bbe9cee4379b81dcf6fdf92aff28f2209563ce50

SHA256
57535fe04df416b5a689aa33f01d8e939f1d91fcae25c0c3cf8192baf417b1fe

SHA512
281f779891962273de9f795dea1917044247dbbe427d111b43027c08ad70577aeffbbb6dc8e68cb0013ebd1ce6103e10f1c71c7e144e75df15c76865ed9c9a08

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20240419_070740298.html.420

Filesize
93KB

MD5
26867c65bfa6c8f5ed42e7eb935855c7

SHA1
75fe07221b6cf09e3cafe5349b86e44f4c25c025

SHA256
91b20caf24d5cfb3b3278b1c8e5cce58833ed2b7caeadfade89128ad23b13a57

SHA512
ec05007612ec6ffab2a2e5014f1d0ec9c54f2a5f899c61ed786dfea752490b7b9ad8bbe16d759494a40ea687c301c6590494344ba81f45eba3c1c9685b3245a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qraxvtyq.n14.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI23F5.txt.420

Filesize
426KB

MD5
641cefbf5e9878a3b9cdd13e0c2a2e32

SHA1
e10c558429c359ba246cd5fec16f68a4983355cc

SHA256
fc6ad1f86ba7d101762d2fdbad685cd70aa28d389054bce197cb3b23a09860cd

SHA512
7d593c6de6de5612147114b14211145a0fc05cd6be5b043574c872f05c7461b9199dd0fe3c483739a88c90709d2e24ed6d8851adf18ad09f3b4165c38751c8e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI2413.txt.420

Filesize
414KB

MD5
7aff10eedd9b996eb2974b4520949915

SHA1
a4c7d7f605cc6f54f0d0a5e5c1adf9fa7dba53c0

SHA256
0cb89c5a1a351b70849f4d6eb3210279d36e8a36a008a6e26fe460e9b5fda2e6

SHA512
0bf12093be4777b3d5cd0956ab910bcbf2d74b41cc9a917727ed509a941b8ab0491e7681f3caf58ff699753e05abcc4208d277d0b9e8d2216271dfe524b82fb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI23F5.txt.420

Filesize
11KB

MD5
9ea6de139710bebdeefe390808e02c54

SHA1
0f2d6d2646c658dfaeb80b5a6693710e08bd3a5d

SHA256
0d499195cfaf0375a0ef85a0bde2a535fc1184380851a7d7b30287e7ae656129

SHA512
6a14df50e6a7f701f4c6c68fa5048dc00f4c53969743f391765d217e606168b0408a8cd4a3ff669c0b946540a59689d89cccea794ed01c8cdcefc43cd15ebb39

Download Submit
C:\Users\Admin\AppData\Local\Temp\jawshtml.html.420

Filesize
16B

MD5
65e115805f15f9cda5eb01e8f742d121

SHA1
e3ecf29bfa71ce07baf8d02009afb8766f35981b

SHA256
7852451b2b252515f369b14bd765135c2e11fee72276b5020e3ed61513c5611a

SHA512
dccbfdd893e5806fa1418e48e0c0c72ec2d1266ee7de48fce34bf3f74bda7e0682e8bf90de53594f34c3d5682c8164d9f6b6ea3977619be8487c2e339faa1ada

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\New folder.lnk.420

Filesize
752B

MD5
b5d286b416a0a319064431935def6875

SHA1
4586ff17c0017262464149d95f42b80ed4958163

SHA256
4190156b3535cbfe3bacd8c39426cfe2bc12529c48aeb2f81442965b5ba8d431

SHA512
9d23497c566f86f408a6c3799972ab0040dec6606c7941de6c190ee98e7814810737439e93c1137df14a02e78b24d93d646b9aacdf4ba82e6d46e770a0bc58fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\System32.lnk.420

Filesize
624B

MD5
ddc6aa87fe526aab8db97ee5a121ac0e

SHA1
61b61fe274c1b5d889a9fd04344a9925793a19a7

SHA256
8b37b2be0086f63679a406ceaf82b02254ceb63fca619c3cb3fe4825337c25f4

SHA512
4c344027bceaeeadabcb16a5bc9149934455739554e293369256a8bdcec6dd6b2bb6f73bfdb5fa442a41bf8e9ba6b2db1f3c494a51cfd6e2b37c623bce217acf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Windows.lnk.420

Filesize
512B

MD5
7ca2ddedf60a79fe4503c864bb086e19

SHA1
6a858925f63d0a189d4a15e1cfc2708c20a4f4aa

SHA256
f866d099cef8cc568c1cd2fe559da32b65dfcdc24f964048629ec3a676feb65e

SHA512
ac972ede264bf23b8736d4a9da3231154d5509fd4e837a50ba8a19624299e8daa8b62304089cfcb9f545ee130c402de8d3be061651b16e9ce9fcd73e985d273e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg.420

Filesize
51KB

MD5
f14ebdbbc002c8ca15a7b7e139b01b25

SHA1
361c8e0f9e1480937b44cb208b65da4cd85d3d52

SHA256
c4ac4b34f8ac38a53e2eb6f1b35fefc01cd61c9c325e6ddf5f2d54de518515b8

SHA512
a9b2de5fd410db8e58b10fd8b0d854c8c9b191cc4157d38adb07600ee89110665169849d84692a749798db7063de233d837d31f1b0a85b248bad7f32ee4fb269

Download Submit
C:\Windows\System32\Seven.dll

Filesize
1.0MB

MD5
e630c47d4681dd3e7b3b479fcac7c880

SHA1
9a26b8b17be81f81d9452777c07119e690a381c7

SHA256
f1cb10ef481f5a797162d64e32fc332912e520e434b9794b5c4434807c508b78

SHA512
e6975ca496dc60a6ba316dd932ae72250a5ae5416662d8dfe3b5a6ca8e7268d24b727d468c2d9310766d2cdceb01ace27af2b0153308c7cf1483be468224b60c

Download Submit
C:\Windows\System32\Seven.runtimeconfig.json

Filesize
340B

MD5
253333997e82f7d44ea8072dfae6db39

SHA1
03b9744e89327431a619505a7c72fd497783d884

SHA256
28329cf08f6505e73806b17558b187c02f0c1c516fe47ebfb7a013d082aaa306

SHA512
56d99039e0fb6305588e9f87361e7e0d5051507bf321ba36619c4d29741f35c27c62f025a52523c9e1c7287aabf1533444330a8cdf840fa5af0fa2241fcb4fc2

Download Submit
C:\Windows\System32\SevenCopy.exe

Filesize
139KB

MD5
6503f847c3281ff85b304fc674b62580

SHA1
947536e0741c085f37557b7328b067ef97cb1a61

SHA256
afd7657f941024ef69ca34d1e61e640c5523b19b0fad4dcb1c9f1b01a6fa166f

SHA512
abc3b32a1cd7d0a60dd7354a9fcdff0bc37ec8a20bb2a8258353716d820f62d343c6ba9385ba893be0cca981bbb9ab4e189ccfeee6dd77cc0dc723e975532174

Download Submit
memory/760-15-0x00007FFE74580000-0x00007FFE75041000-memory.dmp

Filesize
10.8MB

Download
memory/760-10-0x00007FFE74580000-0x00007FFE75041000-memory.dmp

Filesize
10.8MB

Download
memory/760-11-0x0000021855B30000-0x0000021855B40000-memory.dmp

Filesize
64KB

Download
memory/760-5-0x000002186E5B0000-0x000002186E5D2000-memory.dmp

Filesize
136KB

Download
memory/760-12-0x0000021855B30000-0x0000021855B40000-memory.dmp

Filesize
64KB

Download
memory/2248-601-0x00007FF749750000-0x00007FF7497B7000-memory.dmp

Filesize
412KB

Download
memory/3280-603-0x00007FF749750000-0x00007FF7497B7000-memory.dmp

Filesize
412KB

Download
memory/5644-598-0x00007FF749750000-0x00007FF7497B7000-memory.dmp

Filesize
412KB

Download
memory/5992-614-0x00007FF749750000-0x00007FF7497B7000-memory.dmp

Filesize
412KB

Download
memory/6112-607-0x00007FF749750000-0x00007FF7497B7000-memory.dmp

Filesize
412KB

Download
memory/6172-602-0x00007FF749750000-0x00007FF7497B7000-memory.dmp

Filesize
412KB

Download
memory/6372-613-0x00007FF749750000-0x00007FF7497B7000-memory.dmp

Filesize
412KB

Download
memory/7344-604-0x00007FF749750000-0x00007FF7497B7000-memory.dmp

Filesize
412KB

Download
memory/11976-608-0x00007FF749750000-0x00007FF7497B7000-memory.dmp

Filesize
412KB

Download
memory/16644-605-0x00007FF749750000-0x00007FF7497B7000-memory.dmp

Filesize
412KB

Download
memory/16744-599-0x00007FFE946F0000-0x00007FFE948E5000-memory.dmp

Filesize
2.0MB

Download
memory/16932-597-0x00007FF749750000-0x00007FF7497B7000-memory.dmp

Filesize
412KB

Download
memory/17488-606-0x00007FF749750000-0x00007FF7497B7000-memory.dmp

Filesize
412KB

Download
memory/18040-609-0x00007FFE93DA0000-0x00007FFE93E5E000-memory.dmp

Filesize
760KB

Download