Analysis
-
max time kernel
300s -
max time network
305s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
30/05/2024, 13:55
Static task
static1
Behavioral task
behavioral1
Sample
Nursultan Nextgen.exe
Resource
win11-20240508-en
General
-
Target
Nursultan Nextgen.exe
-
Size
462KB
-
MD5
868b277b120c928954c671c863d6884f
-
SHA1
62729969b44bd2f5a787fa54129a0dd829ae93e9
-
SHA256
674ee967fdc01596ad81dc9b25dd33d64effdc2d5fa589308ff5b9d2b75d3214
-
SHA512
3c5a99f143ea9f086be54ad5d489d2647664b5493526934fd0d6d7b51fffa2ba6099a465c537d891f7230c32891690e22fae9cd094e5df1d892621034ebbfe39
-
SSDEEP
6144:yMNCVV9MK212l08je6VlWT8b9UELmSdTwbn5igrWyb8elMKPr5m:yM2LZ21V8jPVle8BpcbndWDiMKPr8
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Public\\Pictures\\OpenOffice" Nursultan Nextgen.exe Set value (str) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\Desktop\\Trojan.exe" Trojan.exe Set value (str) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" Trojan.exe -
Modifies AppInit DLL entries 2 TTPs
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Executes dropped EXE 3 IoCs
pid Process 2496 asvcucxh.2vi.exe 1676 Trojan.exe 2532 Dropbox -
Loads dropped DLL 64 IoCs
pid Process 4888 Process not Found 4480 Process not Found 4924 Process not Found 2012 Process not Found 4716 WmiApSrv.exe 3548 Process not Found 3796 Process not Found 3760 Process not Found 4720 Process not Found 2556 Process not Found 1344 Process not Found 1140 Process not Found 408 Process not Found 768 Process not Found 4360 Process not Found 4456 Process not Found 612 Process not Found 4208 Process not Found 3800 svchost.exe 4308 Process not Found 1140 Process not Found 4968 Process not Found 1204 Process not Found 4004 Process not Found 3796 Process not Found 3056 Process not Found 4836 Process not Found 3592 Process not Found 4232 Process not Found 3524 Process not Found 228 Process not Found 2792 Process not Found 4516 Process not Found 4884 Process not Found 2268 powershell.exe 4572 Process not Found 1956 Process not Found 4544 Process not Found 820 Process not Found 2772 Process not Found 2836 Process not Found 4612 Process not Found 4012 Process not Found 4144 Process not Found 3084 Process not Found 4160 Process not Found 4868 Process not Found 3096 Process not Found 2124 Process not Found 3536 Process not Found 4012 Process not Found 1776 Process not Found 1008 Process not Found 2612 Process not Found 1904 Process not Found 3852 Process not Found 328 explorer.exe 1628 Process not Found 3748 Process not Found 3572 Process not Found 3912 Process not Found 1424 Process not Found 3780 Process not Found 4304 Process not Found -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\userini = "C:\\Users\\Admin\\Desktop\\Trojan.exe" Trojan.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe -
pid Process 2268 powershell.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Dropbox Nursultan Nextgen.exe File opened for modification C:\Windows\Dropbox Nursultan Nextgen.exe File created C:\Windows\xdwd.dll Nursultan Nextgen.exe File opened for modification C:\Windows\Dropbox Dropbox -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 58 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 explorer.exe -
Creates scheduled task(s) 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1888 schtasks.exe 3684 schtasks.exe 1192 schtasks.exe 5008 schtasks.exe 2324 schtasks.exe 1472 schtasks.exe 1344 schtasks.exe 2024 schtasks.exe 4868 schtasks.exe 4500 schtasks.exe 2972 schtasks.exe 1132 schtasks.exe 4856 schtasks.exe 3556 schtasks.exe 4112 schtasks.exe 3140 schtasks.exe 3880 schtasks.exe 1252 schtasks.exe 4044 schtasks.exe 3852 schtasks.exe 2768 schtasks.exe 2972 schtasks.exe 4860 schtasks.exe 4788 schtasks.exe 4512 schtasks.exe 3728 schtasks.exe 3144 schtasks.exe 3420 schtasks.exe 3212 schtasks.exe 1536 schtasks.exe 2768 schtasks.exe 2760 schtasks.exe 4720 schtasks.exe 3900 schtasks.exe 3104 schtasks.exe 2560 schtasks.exe 3396 schtasks.exe 4388 schtasks.exe 5076 schtasks.exe 4252 schtasks.exe 4144 schtasks.exe 4324 schtasks.exe 988 schtasks.exe 4064 schtasks.exe 3144 schtasks.exe 2604 schtasks.exe 3036 schtasks.exe 3056 schtasks.exe 4952 schtasks.exe 4756 schtasks.exe 540 schtasks.exe 1904 schtasks.exe 4508 schtasks.exe 2172 schtasks.exe 4832 schtasks.exe 3892 schtasks.exe 1876 schtasks.exe 4840 schtasks.exe 4840 schtasks.exe 1068 schtasks.exe 2408 schtasks.exe 636 schtasks.exe 4860 schtasks.exe 3400 schtasks.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchHost.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Internet Explorer\GPU SearchHost.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 asvcucxh.2vi.exe Set value (data) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 asvcucxh.2vi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48" asvcucxh.2vi.exe Set value (data) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 asvcucxh.2vi.exe Set value (data) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 asvcucxh.2vi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total SearchHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" asvcucxh.2vi.exe Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy asvcucxh.2vi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlot = "2" asvcucxh.2vi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6" asvcucxh.2vi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage SearchHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "1022" SearchHost.exe Set value (data) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots asvcucxh.2vi.exe Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 asvcucxh.2vi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "13827" SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags asvcucxh.2vi.exe Set value (data) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff asvcucxh.2vi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "1055" SearchHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "8748" SearchHost.exe Set value (data) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff asvcucxh.2vi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" asvcucxh.2vi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ asvcucxh.2vi.exe Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy asvcucxh.2vi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2" asvcucxh.2vi.exe Set value (data) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 asvcucxh.2vi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" asvcucxh.2vi.exe Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656} asvcucxh.2vi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "13827" SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 asvcucxh.2vi.exe Set value (str) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" asvcucxh.2vi.exe Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\MuiCache StartMenuExperienceHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "1055" SearchHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "13827" SearchHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" asvcucxh.2vi.exe Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} asvcucxh.2vi.exe Set value (data) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0c00000050000000a66a63283d95d211b5d600c04fd918d00b0000007800000030f125b7ef471a10a5f102608c9eebac0e00000090000000 asvcucxh.2vi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" asvcucxh.2vi.exe Set value (data) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\MuiCache SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com SearchHost.exe Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "1022" SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings asvcucxh.2vi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "8748" SearchHost.exe Set value (data) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\PastIconsStream = 1400000005000000010001000200000014000000494c2006020004002c0010001000ffffffff2110ffffffffffffffff424d360000000000000036000000280000001000000040000000010020000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000ff00000060000000000000000000000020000000b0000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff00000060000000200000000000000020000000f00d0d0df09d9d9dffc8c8c8ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff000000603f3f3f66000000ff00000060000000900a0a0af0c0c0c0ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660e2e2e2ff474747eb000000d0000000e04c4c4cee999999ff939393eeb1b1b1f0e0e0e0ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660c8c8c8f7adadadf6858585ff000000ff000000ff737373ff999999ff999999ff999999ff999999ffa0a0a0e8868686ff000000ff000000606d6d6d88aaaaaaebb2b2b2ffb2b2b2ff7a7a7aff000000ff000000ff696969ff999999ff999999ff999999ff999999ff5f5f5fff000000ff0000006045454571b2b2b2ffb2b2b2ffb2b2b2ffa7a7a7ff1b1b1be8000000c0000000b0080808f08f8f8fff999999ff999999ff5f5f5fff000000ff00000060303030607f7f7fff7b7b7bf67e7e7ee2525252e20a0a0af0000000f00000003000000020000000f0101010eb5a5a5af6505050ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff676767ff000000ff000000b000000020000000000000000000000020000000b0000000ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff777777ff080808f0000000d0000000000000000000000000000000000000000000000060000000ff00000060000000602c2c2ceb5f5f5fff5f5f5fff3f3f3fee080808f0000000f0000000300000000000000000000000000000000000000000000000a0000000600000000000000050000000b0000000f0000000ff000000f0000000a000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000ff00000060000000000000000000000020000000b0000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff00000060000000200000000000000020000000f00d0d0df09d9d9dffc8c8c8ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff000000603f3f3f66000000ff00000060000000900a0a0af0c0c0c0ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660e2e2e2ff474747eb000000d0000000e04c4c4cee999999ff939393eeb1b1b1f0e0e0e0ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660c8c8c8f7adadadf6858585ff000000ff000000ff737373ff999999ff999999ff999999ff999999ffa0a0a0e8868686ff000000ff000000606d6d6d88aaaaaaebb2b2b2ffb2b2b2ff7a7a7aff000000ff000000ff696969ff999999ff999999ff999999ff999999ff5f5f5fff000000ff0000006045454571b2b2b2ffb2b2b2ffb2b2b2ffa7a7a7ff1b1b1be8000000c0000000b0080808f08f8f8fff999999ff999999ff5f5f5fff000000ff00000060303030607f7f7fff7b7b7bf67e7e7ee2525252e20a0a0af0000000f00000003000000020000000f0101010eb5a5a5af6505050ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff676767ff000000ff000000b000000020000000000000000000000020000000b0000000ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff777777ff080808f0000000d0000000000000000000000000000000000000000000000060000000ff00000060000000602c2c2ceb5f5f5fff5f5f5fff3f3f3fee080808f0000000f0000000300000000000000000000000000000000000000000000000a0000000600000000000000050000000b0000000f0000000ff000000f0000000a000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000424d3e000000000000003e0000002800000010000000400000000100010000000000000100000000000000000000000000000000000000000000ffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffff0000fff90000fff10000800100000000000000000000000000000000000000000000000000000001000080070000c0070000c80f0000ffff0000ffff0000ffff0000fff90000fff10000800100000000000000000000000000000000000000000000000000000001000080070000c0070000c80f0000ffff0000ffff000000000000000000000000000000000000000000000000010000000800000002000000040000002400000001000000000000000100000000000000 explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "15147" SearchHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total SearchHost.exe Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell asvcucxh.2vi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" asvcucxh.2vi.exe Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ asvcucxh.2vi.exe Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 asvcucxh.2vi.exe Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" asvcucxh.2vi.exe Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState SearchHost.exe Set value (data) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 140000000700000001000100050000001400000050003a005c00480066007200650066005c004e0071007a00760061005c004e006300630051006e0067006e005c005900620070006e0079005c005a00760070006500620066006200730067005c00420061007200510065007600690072005c00420061007200510065007600690072002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f50100000000000000000000e8070500420061007200510065007600690072000a004100620067002000660076007400610072007100200076006100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000a5e7c01448a1da0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff82ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff83ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff asvcucxh.2vi.exe Set value (data) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 asvcucxh.2vi.exe Set value (data) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 asvcucxh.2vi.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1924 Nursultan Nextgen.exe 1924 Nursultan Nextgen.exe 1924 Nursultan Nextgen.exe 1924 Nursultan Nextgen.exe 1924 Nursultan Nextgen.exe 1924 Nursultan Nextgen.exe 1924 Nursultan Nextgen.exe 1924 Nursultan Nextgen.exe 1924 Nursultan Nextgen.exe 1924 Nursultan Nextgen.exe 1924 Nursultan Nextgen.exe 1924 Nursultan Nextgen.exe 1924 Nursultan Nextgen.exe 1924 Nursultan Nextgen.exe 1924 Nursultan Nextgen.exe 1924 Nursultan Nextgen.exe 1924 Nursultan Nextgen.exe 1924 Nursultan Nextgen.exe 1924 Nursultan Nextgen.exe 1924 Nursultan Nextgen.exe 1924 Nursultan Nextgen.exe 1924 Nursultan Nextgen.exe 1924 Nursultan Nextgen.exe 1924 Nursultan Nextgen.exe 1924 Nursultan Nextgen.exe 1924 Nursultan Nextgen.exe 1924 Nursultan Nextgen.exe 1924 Nursultan Nextgen.exe 1924 Nursultan Nextgen.exe 1924 Nursultan Nextgen.exe 1924 Nursultan Nextgen.exe 1924 Nursultan Nextgen.exe 1924 Nursultan Nextgen.exe 1924 Nursultan Nextgen.exe 1924 Nursultan Nextgen.exe 1924 Nursultan Nextgen.exe 1924 Nursultan Nextgen.exe 1924 Nursultan Nextgen.exe 1924 Nursultan Nextgen.exe 1924 Nursultan Nextgen.exe 1924 Nursultan Nextgen.exe 1924 Nursultan Nextgen.exe 1924 Nursultan Nextgen.exe 1924 Nursultan Nextgen.exe 1924 Nursultan Nextgen.exe 1924 Nursultan Nextgen.exe 1924 Nursultan Nextgen.exe 1924 Nursultan Nextgen.exe 1924 Nursultan Nextgen.exe 1924 Nursultan Nextgen.exe 1924 Nursultan Nextgen.exe 1924 Nursultan Nextgen.exe 1924 Nursultan Nextgen.exe 1924 Nursultan Nextgen.exe 1924 Nursultan Nextgen.exe 1924 Nursultan Nextgen.exe 1924 Nursultan Nextgen.exe 4716 WmiApSrv.exe 4716 WmiApSrv.exe 1924 Nursultan Nextgen.exe 1924 Nursultan Nextgen.exe 1924 Nursultan Nextgen.exe 1924 Nursultan Nextgen.exe 1924 Nursultan Nextgen.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 328 explorer.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
description pid Process Token: SeDebugPrivilege 1924 Nursultan Nextgen.exe Token: SeDebugPrivilege 2268 powershell.exe Token: SeShutdownPrivilege 328 explorer.exe Token: SeCreatePagefilePrivilege 328 explorer.exe Token: SeShutdownPrivilege 328 explorer.exe Token: SeCreatePagefilePrivilege 328 explorer.exe Token: SeShutdownPrivilege 328 explorer.exe Token: SeCreatePagefilePrivilege 328 explorer.exe Token: SeShutdownPrivilege 328 explorer.exe Token: SeCreatePagefilePrivilege 328 explorer.exe Token: SeShutdownPrivilege 328 explorer.exe Token: SeCreatePagefilePrivilege 328 explorer.exe Token: SeShutdownPrivilege 328 explorer.exe Token: SeCreatePagefilePrivilege 328 explorer.exe Token: SeShutdownPrivilege 328 explorer.exe Token: SeCreatePagefilePrivilege 328 explorer.exe Token: SeShutdownPrivilege 328 explorer.exe Token: SeCreatePagefilePrivilege 328 explorer.exe Token: SeShutdownPrivilege 328 explorer.exe Token: SeCreatePagefilePrivilege 328 explorer.exe Token: SeShutdownPrivilege 328 explorer.exe Token: SeCreatePagefilePrivilege 328 explorer.exe Token: SeShutdownPrivilege 328 explorer.exe Token: SeCreatePagefilePrivilege 328 explorer.exe Token: SeShutdownPrivilege 328 explorer.exe Token: SeCreatePagefilePrivilege 328 explorer.exe Token: SeShutdownPrivilege 328 explorer.exe Token: SeCreatePagefilePrivilege 328 explorer.exe Token: SeShutdownPrivilege 328 explorer.exe Token: SeCreatePagefilePrivilege 328 explorer.exe Token: SeShutdownPrivilege 328 explorer.exe Token: SeCreatePagefilePrivilege 328 explorer.exe Token: SeShutdownPrivilege 328 explorer.exe Token: SeCreatePagefilePrivilege 328 explorer.exe Token: SeShutdownPrivilege 328 explorer.exe Token: SeCreatePagefilePrivilege 328 explorer.exe Token: SeShutdownPrivilege 328 explorer.exe Token: SeCreatePagefilePrivilege 328 explorer.exe Token: SeShutdownPrivilege 328 explorer.exe Token: SeCreatePagefilePrivilege 328 explorer.exe Token: SeShutdownPrivilege 328 explorer.exe Token: SeCreatePagefilePrivilege 328 explorer.exe Token: SeShutdownPrivilege 328 explorer.exe Token: SeCreatePagefilePrivilege 328 explorer.exe Token: SeShutdownPrivilege 328 explorer.exe Token: SeCreatePagefilePrivilege 328 explorer.exe Token: SeDebugPrivilege 2532 Dropbox -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1676 Trojan.exe 1676 Trojan.exe 1676 Trojan.exe 1676 Trojan.exe 1676 Trojan.exe 1676 Trojan.exe 1676 Trojan.exe 1676 Trojan.exe 1676 Trojan.exe 1676 Trojan.exe 1676 Trojan.exe 1676 Trojan.exe 1676 Trojan.exe 1676 Trojan.exe 1676 Trojan.exe 1676 Trojan.exe 1676 Trojan.exe 1676 Trojan.exe 1676 Trojan.exe 1676 Trojan.exe 1676 Trojan.exe 1676 Trojan.exe 1676 Trojan.exe 1676 Trojan.exe 1676 Trojan.exe 1676 Trojan.exe 1676 Trojan.exe 1676 Trojan.exe 1676 Trojan.exe 1676 Trojan.exe 1676 Trojan.exe 1676 Trojan.exe 1676 Trojan.exe 1676 Trojan.exe 1676 Trojan.exe 1676 Trojan.exe 1676 Trojan.exe 1676 Trojan.exe 1676 Trojan.exe 1676 Trojan.exe 1676 Trojan.exe 1676 Trojan.exe 1676 Trojan.exe 1676 Trojan.exe 1676 Trojan.exe 1676 Trojan.exe 1676 Trojan.exe 1676 Trojan.exe 1676 Trojan.exe 1676 Trojan.exe 1676 Trojan.exe 1676 Trojan.exe 1676 Trojan.exe 1676 Trojan.exe 1676 Trojan.exe 1676 Trojan.exe 1676 Trojan.exe 1676 Trojan.exe 1676 Trojan.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe 328 explorer.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2496 asvcucxh.2vi.exe 2496 asvcucxh.2vi.exe 328 explorer.exe 3220 SearchHost.exe 2436 StartMenuExperienceHost.exe 328 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1924 wrote to memory of 4192 1924 Nursultan Nextgen.exe 83 PID 1924 wrote to memory of 4192 1924 Nursultan Nextgen.exe 83 PID 4192 wrote to memory of 3212 4192 CMD.exe 85 PID 4192 wrote to memory of 3212 4192 CMD.exe 85 PID 1924 wrote to memory of 2808 1924 Nursultan Nextgen.exe 86 PID 1924 wrote to memory of 2808 1924 Nursultan Nextgen.exe 86 PID 2808 wrote to memory of 1192 2808 CMD.exe 88 PID 2808 wrote to memory of 1192 2808 CMD.exe 88 PID 1924 wrote to memory of 2164 1924 Nursultan Nextgen.exe 89 PID 1924 wrote to memory of 2164 1924 Nursultan Nextgen.exe 89 PID 2164 wrote to memory of 540 2164 CMD.exe 91 PID 2164 wrote to memory of 540 2164 CMD.exe 91 PID 1924 wrote to memory of 4160 1924 Nursultan Nextgen.exe 92 PID 1924 wrote to memory of 4160 1924 Nursultan Nextgen.exe 92 PID 4160 wrote to memory of 3596 4160 CMD.exe 94 PID 4160 wrote to memory of 3596 4160 CMD.exe 94 PID 1924 wrote to memory of 2180 1924 Nursultan Nextgen.exe 96 PID 1924 wrote to memory of 2180 1924 Nursultan Nextgen.exe 96 PID 2180 wrote to memory of 1536 2180 CMD.exe 98 PID 2180 wrote to memory of 1536 2180 CMD.exe 98 PID 1924 wrote to memory of 2396 1924 Nursultan Nextgen.exe 101 PID 1924 wrote to memory of 2396 1924 Nursultan Nextgen.exe 101 PID 2396 wrote to memory of 3900 2396 CMD.exe 103 PID 2396 wrote to memory of 3900 2396 CMD.exe 103 PID 1924 wrote to memory of 4424 1924 Nursultan Nextgen.exe 104 PID 1924 wrote to memory of 4424 1924 Nursultan Nextgen.exe 104 PID 4424 wrote to memory of 4840 4424 CMD.exe 106 PID 4424 wrote to memory of 4840 4424 CMD.exe 106 PID 1924 wrote to memory of 3536 1924 Nursultan Nextgen.exe 107 PID 1924 wrote to memory of 3536 1924 Nursultan Nextgen.exe 107 PID 3536 wrote to memory of 4064 3536 CMD.exe 109 PID 3536 wrote to memory of 4064 3536 CMD.exe 109 PID 1924 wrote to memory of 3540 1924 Nursultan Nextgen.exe 110 PID 1924 wrote to memory of 3540 1924 Nursultan Nextgen.exe 110 PID 3540 wrote to memory of 1148 3540 CMD.exe 112 PID 3540 wrote to memory of 1148 3540 CMD.exe 112 PID 1924 wrote to memory of 1488 1924 Nursultan Nextgen.exe 113 PID 1924 wrote to memory of 1488 1924 Nursultan Nextgen.exe 113 PID 1488 wrote to memory of 4252 1488 CMD.exe 115 PID 1488 wrote to memory of 4252 1488 CMD.exe 115 PID 1924 wrote to memory of 3436 1924 Nursultan Nextgen.exe 116 PID 1924 wrote to memory of 3436 1924 Nursultan Nextgen.exe 116 PID 3436 wrote to memory of 2972 3436 CMD.exe 118 PID 3436 wrote to memory of 2972 3436 CMD.exe 118 PID 1924 wrote to memory of 3836 1924 Nursultan Nextgen.exe 119 PID 1924 wrote to memory of 3836 1924 Nursultan Nextgen.exe 119 PID 3836 wrote to memory of 4756 3836 CMD.exe 121 PID 3836 wrote to memory of 4756 3836 CMD.exe 121 PID 1924 wrote to memory of 2732 1924 Nursultan Nextgen.exe 123 PID 1924 wrote to memory of 2732 1924 Nursultan Nextgen.exe 123 PID 2732 wrote to memory of 1132 2732 CMD.exe 125 PID 2732 wrote to memory of 1132 2732 CMD.exe 125 PID 1924 wrote to memory of 1460 1924 Nursultan Nextgen.exe 126 PID 1924 wrote to memory of 1460 1924 Nursultan Nextgen.exe 126 PID 1460 wrote to memory of 4840 1460 CMD.exe 128 PID 1460 wrote to memory of 4840 1460 CMD.exe 128 PID 1924 wrote to memory of 2084 1924 Nursultan Nextgen.exe 129 PID 1924 wrote to memory of 2084 1924 Nursultan Nextgen.exe 129 PID 2084 wrote to memory of 2324 2084 CMD.exe 133 PID 2084 wrote to memory of 2324 2084 CMD.exe 133 PID 1924 wrote to memory of 536 1924 Nursultan Nextgen.exe 136 PID 1924 wrote to memory of 536 1924 Nursultan Nextgen.exe 136 PID 536 wrote to memory of 3856 536 CMD.exe 138 PID 536 wrote to memory of 3856 536 CMD.exe 138 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe"1⤵
- Modifies WinLogon for persistence
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SYSTEM32\CMD.exe"CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Word" /tr "C:\Users\Public\Pictures\OpenOffice" & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Windows\system32\schtasks.exeSchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Word" /tr "C:\Users\Public\Pictures\OpenOffice"3⤵
- Creates scheduled task(s)
PID:3212
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1192
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Jira Update" /tr "C:\Windows\Dropbox" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo 5 /tn "Jira Update" /tr "C:\Windows\Dropbox" /RL HIGHEST3⤵PID:540
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵PID:3596
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1536
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:3900
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4840
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4064
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵PID:1148
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4252
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:2972
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4756
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1132
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4840
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:2324
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵PID:3856
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:2024
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵PID:2652
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:4476
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵PID:4868
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:752
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:3144
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:3748
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1472
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:2324
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1344
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:3152
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4144
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:3432
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵PID:1488
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:3836
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:2024
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:2028
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵PID:4476
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:2836
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵PID:1132
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:3144
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵PID:1900
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe"' & exit2⤵PID:2668
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe"'3⤵
- Loads dropped DLL
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2268 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe"4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2496
-
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:3856
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵PID:3220
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:3668
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵PID:1292
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:408
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵PID:1424
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:636
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵PID:4868
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:2896
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1068
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:1132
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:5008
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:4004
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:2172
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:4712
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵PID:3820
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:1528
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵PID:1140
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:4700
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵PID:2760
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:1652
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵PID:408
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:4324
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:3852
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:2240
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵PID:3340
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:3704
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1888
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:1900
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵PID:3160
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:1532
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:540
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:4016
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4860
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:2204
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4868
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:5068
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:2768
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:3520
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4500
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:4972
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:3892
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:3520
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4788
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:2888
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵PID:2000
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:1464
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵PID:1444
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:4724
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4512
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:3780
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4832
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:3656
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵PID:2264
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:3912
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4324
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:704
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:3104
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:2236
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:2560
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:1172
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1876
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:3612
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:3556
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:820
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1904
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:4640
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:3396
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:3820
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4112
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:3104
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:3140
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:3168
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:2408
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:568
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:3880
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:3892
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:3728
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:2532
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵PID:4364
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:4572
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:2604
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:764
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:1252
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:4612
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:2768
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:4996
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵PID:1628
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:1464
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4508
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:564
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4044
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:4464
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:3036
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:1204
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵PID:4164
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:4496
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:2972
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:3924
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4856
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:4248
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:3684
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:764
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:988
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:3920
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:636
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:2408
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:3056
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:4512
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:2760
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:4724
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵PID:1344
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:3612
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4860
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:3836
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵PID:4492
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:1264
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4388
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:408
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:5076
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:4520
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:3144
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:2016
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4952
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:688
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:3420
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:836
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵PID:1688
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:3056
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:4720
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:4100
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵PID:1604
-
-
-
C:\Windows\SYSTEM32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:2176
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵
- Creates scheduled task(s)
PID:3400
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4716
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵
- Loads dropped DLL
PID:3800
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:2160
-
C:\Users\Admin\Desktop\Trojan.exe"C:\Users\Admin\Desktop\Trojan.exe"1⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of FindShellTrayWindow
PID:1676 -
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵
- Modifies Installed Components in the registry
- Loads dropped DLL
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:328
-
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:4900
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2436
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3220
-
C:\Windows\DropboxC:\Windows\Dropbox1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2532 -
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit2⤵PID:796
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST3⤵PID:2788
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
4Registry Run Keys / Startup Folder
3Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
4Registry Run Keys / Startup Folder
3Winlogon Helper DLL
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD5aaf0727cf0ee91c7458cfef415781516
SHA18e32852edcc8535e40f7c7f3053be6ca33a43a05
SHA2565b2ee6599886cf76f56ba490ed095d99ee6f7581366b097107e2901c260ca7c9
SHA5121af368e734db987b9895bae27eb57f99b2e39c111b8bea1f181f452a5f2103147e5cdc03b01d683b098085a2158b3fc85e278993819caca1bd343c4e6a6882e1
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\H3PMCBH8\www.bing[1].xml
Filesize17KB
MD5bc54c11989d696eef9c2e76ecd8ff0f8
SHA1261cadaef9db945e2b20b88e49b2f9654d529fb1
SHA2561300bffd5651af8acf6d0b8b6b8aa6b12e692c628b17e841ee8c047fae188cc9
SHA512bc4e0cf6857069c8ff683671772f59c97daf560217f1adc20a8b62144d5ebbdf44d58150634468e5633fa327b0475b09ddcbcba729334b7b7e2e7f31993dec7c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
293KB
MD5f88fcd1e6ca9766fe6c3b5bd65fea9cd
SHA1826a34de80198e83fdda3789bf2704f4c41191a1
SHA256ef7d8e03dba23a11040a02caad54a4933ff9ba367479dfc42c1fa9b030e0f9c0
SHA51246684145d45db73c1958f0c3e75339a6ae56c95cb63c34549c60f704bfa7ca729a8aefa80a34785eb64810ace8987ae41a0a8190fceec17a4f287c3d5f2e14c8
-
Filesize
470KB
MD5d615655c1da145b5c06ec8144d00c818
SHA12bc3a790e7b2570f92cd6315dc4fb28f548d1766
SHA256ef9d773870f22b7a578fd1bd4c822558c7a87cfed4147b66298a21f1996a2584
SHA512d5cb20655683e910338b686ef37a480d220038a8eeb9d9fe4117602926d52c56949ad766a92cea5b74ef7b1876a8ee3d43132c9e2de0f6ccacb2c0c6d4ed3852
-
Filesize
329KB
MD54f1a470fa86ad9c1a84c8ddb4329d76a
SHA1f1b57d3ef553559dc97d067749abd00718f73df5
SHA256da86928c95c6a2a50524bb113270bb92d34be06f0e959a0cb0437bd8412195a2
SHA512e86f1e96819e7c0f1b5f5a2e8adcfad0b99a8661c03a17b273b5eac4d50279d835735d91a35838b805d916d9d38734045c750b299874bb3e681e03ff8e320a0a
-
Filesize
223KB
MD55f8f01b0322839c4b264de42d5ea0478
SHA176657ca936420b03a21854b51c008199e245d7ad
SHA256489b9268cfa0addbbf54898ceb3b74a7a6c92e04a254fd01e136a53eff911b2b
SHA512b8d9044466efbafee1b80674445a222f85df7229f05f520f08bef7669f6496f54816c1e6de41f160b5206ef8c182799b37472dc400b987980b97410ba1248767
-
Filesize
387KB
MD57532b5a89d8e8425c152832a2c4648f8
SHA1577edddfcc1a134f68652f4fd57587a3a3cddeb9
SHA256bef229cba8f70bef94e0bf55d778efb70e01b5f3a18a289300e6f92540d1e947
SHA5124f2feecef28d315818fb4d3cab932abef9a4860f0141555a219fdade479180afe4594d99a43881935e6b5fcd05d9d6d2ffcc1540f927cd4a746d408f855b9885
-
Filesize
305KB
MD5f2903ad311f51cb372d27ff679de48cf
SHA12b55c95c89448b1bb0403580ffe502c7f5efaa98
SHA256df2e062700bc26ec2419c506ba81d1c57d57602e5451dee96a45015b9d2be3c6
SHA512ad87355e576c64562a49fb0d1d5bd264352cf3d0267c81a885acd890270568080704dfe4d9941082d7c986f91b363131bb44f072d10282045eea726669aa2d4f
-
Filesize
235KB
MD5fc11c3f8645738a24e5be8277b251fea
SHA1287e28ec2b94d753360d47d76419bbfe3f18336a
SHA25651c2b8e5380629226e3392d2d3678c1575d87744ca23fd99523437e7146c9ce6
SHA512541dbee14b46a8d21eba071b509e8c52707e88014c1f2fafd38d46731bbd28d12994e33964cc96aa6bf9f5638050876d10bb332da9bce11a89b0e7de201b4c94
-
Filesize
411KB
MD511995c714b2b79d7d96bdefe5dc39954
SHA1ab2ddfdb3b802255cd2d1366918b790d49c60168
SHA2564b11b2b324acd139264b2329e7ada7aca2d3f874e9876196b92e3a981850bf15
SHA512ba46b6cd47cd1fc0027e0e8c96a224d56799d0c66e7f495a276fda16b7abd54bfd76913c6e2453e228334827f0cdf39cf66796a63e9e4f5d293b0df5e29c0803
-
Filesize
282KB
MD568c033be62acaceee0cc9257ff9b262b
SHA12e2debcf187a2333ec1e1bb659749a8975e66643
SHA256ec85ebef573b20e217475bb7beb915716c6b14dc97f8ce85128d1729d1005a0a
SHA5123c0f6791690fc52ea3787d0c6c8f1fa90ab4fdfed52f3add92baa04c6b747c4dee6d198aaaef12de49e6e27debcab6c65b0bc955367af980c555547007d4e749
-
Filesize
340KB
MD510012a4b16d530d3e4de5573b36ededb
SHA10e6ff57a2061c1a76f40d01936ccb3cfb38fca5e
SHA25690ecf9102118aa8fd8492076e5d15daffecedf2c54bac4313df206fd77881edd
SHA512f899c3b2aab4b07172ed49778f5e444e377ec173906374fde226cf2cf3ca71d988fe2e88e8bc73fe0b41d5e9094f6df7f43944d735a096da6f228405568d4fea
-
Filesize
317KB
MD51d26b70686532658fcbbf4c1b447969f
SHA101065f76b72acae0ef611a4a68c9f2fdb1f1a430
SHA25671c626b6e4a4b142ab497ccd38705332cf40ab2b8a0252312ecd86868e6a5644
SHA51234128a96f36be2f8c994948a5d5b7190872c131554450ffbc3447d4ed155493e0fe070d294e24e92aebf7906022d20a9aa9a0cdc0bf6892cec6b31f183465629
-
Filesize
211KB
MD58bacaee4387e7e47d87fb0d54497f1d7
SHA1df0be17ddc6f1e528546cfbbed903426d5d99558
SHA25624b372fb5191a33432378d520c855d8f1452c85571f3e2421c6c627eee613178
SHA512cc79de918cb323834ad9cfd3dd759af472002ce0fcd9d0ff3074e234fcce5b11fd278e8ae95b1f3563e482f5f17d2e28bc73a7e6c1a369c33b4e90bb6da03458
-
Filesize
646KB
MD589fb9fdfceba969c7f5c316ea1de2029
SHA190249c12deaca4b9b565bb746a91eedfa7e03ec3
SHA2560a6552ca1ff7e7383df6fb4dc2b6663be74704f961806b73c8788e36a5d87f5c
SHA512efb3e88044e88f34c270b2c9068249db9b7f9ab44264cf4eb037cbb49bce6937541846cddb0aaa1005c5628cd10cf818843811ef56a236525e1826d30586c1f1
-
Filesize
2KB
MD5dbe9e061ccb1838728e19eb472a45cc6
SHA1b304395ac69541054753ac075ff3679f7296f895
SHA256f3f21aa9b341aa2291ba0d97029cdc57dd322b27bd965691bbbcd049ae40db64
SHA512951f60c43ba95e1aa8d05536031ee2ed64df609d11051fd103deae62cdee07b29745f23db00960ceacad2982847729446adb18d159ec6cbe781222a81a3e0ff8
-
Filesize
446KB
MD59b777d8bc0888e7d2f932b8136b5b341
SHA1b693cc7d25b1824f2afdb6a8464919e82fdd917b
SHA256710df260a01a3d1c77ac266dd37ea2d0841dae4592bb4941d1ab1e56432db630
SHA512d973fdea5cdde00000ccb3b771fff3c4e0a7005c2fc0f8e4c9a0c5dc1b24ecbe9101906e6a7a813cd5344f3ebd305500810d314bad8ddf44134e0845fd907bff
-
Filesize
270KB
MD5b26c16377111ab71b7e96ec4c3998c7e
SHA13c12f809fb39c880756f361b0199ea14ac87d30c
SHA25630e8e302a0fb63755b1c8d8c61ed0579b73a4d0398ebf1cd933c9cb00616fc60
SHA512e45aaf78b7cba21a9282564f9a722cd2dfbce52991a8bdf0dbce21a644eefd693c436651299d639476472013036108eee41866ac6ac00e1659607a16a62e07b1
-
Filesize
258KB
MD53e1a70bcb519441f0e3d75960d6b9198
SHA1d2c195bd9f86c894b3f043735982a60edb3c282b
SHA2562776f631d94da0f5f799ff1fffc5fe430726eb2bf7b14c56c1c6134382b35c4b
SHA5122d8c8a43d51e54ef62610ad98f2df05c90ae6cc54a215d8d14e64987fcfd6d912b1ab9e2fa9ffafd1fd69d62268bcdbfb903d3c640bb83ee1db598a5749b07ea
-
Filesize
423KB
MD5982ffcac235aec27f7a66e99b78bc3b1
SHA118ff4d2c10b29d666e4fceb7633babac8b81f499
SHA2569a54de0b697826e3ac6d66b29d560abaf132ef4e327153c94be625e43a111b5f
SHA512bc1fb2b8970032ebe486d4bff9bb2488c5c170dd0cde9cb9ff6f792d86730125561287fb67528cb645e340f7f297be53cc985612ad27d22c8524814eaf38fde9
-
Filesize
376KB
MD5eabd228a4585db7420a3b1fadcbea294
SHA1ade2ff691f167ed8d9e97b8d8f1bd941dcdda26e
SHA256d897e38d68ce191bd7dfbe178a0fa624bc5676c2cb53233f4bbc880cf51be979
SHA512f2891934035d7b4766eae1a0ae489cde3a5e8576d6cca0c0f30890812aef674b98f868478b245ce3b60b9ace61895ef8ce71d04c6f9700439ca399dbf795b28a
-
Filesize
434KB
MD58751bff9f7adeea1dd9f3a8e23a70df9
SHA1d98833352f3ace86f8c537b2fa9ef25e5e59afe7
SHA2566a34f0df668cdcdf12bf6ffcf9b6f95dc7178d5278b6ded0249b982eb387f9a7
SHA51206fa2c294caf641ffe558598825f8482145d8a63a176fe88c3dc109838ed6fe3b89e638066d98105f2cc741afcb9cf02f437b27e8e9d9474c4f601ed39eca7b1
-
Filesize
188KB
MD5580276b3211d0c7ff94687a72e920c8f
SHA1218fc5289c91d517448765c7b72504ca4727ff9f
SHA256863fba3a91590f20118014c248e541e11afb6cc2f4ca8705d94b986a6376fb6b
SHA5121540dc4f13d81617a1eb85d97bc8061482a110cb2a92e2a74717629917d36e200f81c3b95955a1decb404a5cfd47dfc720dc624a846a05a8486d74f056366234
-
Filesize
458KB
MD599c96d03aae8a1aa02f49ec96dfceebd
SHA1740511fcc4b63a00ad4306f4f329d3fc2419e306
SHA256632be0df75214492c4da4864752586210f46c31124fc4b1cecdb78a26e0d94cf
SHA5120c5ce9f0f1a2dc334d903201e99a622661ab8b809bb5b489291b769779191ed6dfb81db333151092136e1023089f1ecf99101a1f166b83ce31c9ac25c8ca33f2
-
Filesize
199KB
MD501533025aa92983ffa5dc507b7f3b7e1
SHA1a866136c57c24cfb840b17228494be3570682975
SHA2561c1c555854b11c058b84677c104b0bea9335ad964f0df8cd83e75edf29bde5f0
SHA512098212286d877cb3c3141bd7c4d84561c7318e290b2c7907fe40191eb0fc66a21bce4c736a64177ccc1f61a009f4e79a663b592824e0b8bd1548877ecfd62a4a
-
Filesize
436KB
MD515da9bd223289ddbd72b041017b299f1
SHA198bd69a39508547ef9226c4bd4ace68c57b0f597
SHA256f8650c9bdfbad7ea71c244b458e1867c45c0c077c4f352666dd9b4cf588299af
SHA512493052b1600edc457799f44563ff192097229ae425fc0d1bba6d854fe77b14c6debe460cb48d583fcbc80e94e9c7d3b077c4693f993ef6b7bef5ffa70e056a60
-
Filesize
352KB
MD5b13ac61595bcd9c170ff6726caa5120e
SHA12f71593425c9a969c07711ad2ef962baf0bac319
SHA256df8cabc5f6d6a529632e52b6f8c008352e31be627505b1629d2f7f0ebda10b34
SHA5123113a62fd464e7497cf9a32583de7e639458a85ef5bc267ed1ac5e1105185145c927c5268efab8cbe3486bb131fc56aee8494df7266743ca7e747abf65b623aa
-
Filesize
399KB
MD5f0d35dad01321c20380dd2d3777a223b
SHA178f3e1e2e924665b148b352f30031ce67b7749bd
SHA256dfaa443085be00c3c5d86ab2203c69a5a9dcb63d2e6486ba786035b2d81a9e3d
SHA512890bbaa0e44b0bc23e0c873ca5a9b2988375d876e10cccadb6c27948b0ef579ebad5996cbfc8a7ea47c53fbfa24bfd4717b17bc3be5af5f545fdef397d802666
-
Filesize
176KB
MD522a9fb5ea63daf8651734b191f681e07
SHA10a0ef9bc8ab275cb011011a8ac66d3e13af4dd51
SHA2567abbd30dcbd7ca8b7d0ef1d675d2feb1aa055d672975f862dca163df5f5d9871
SHA512ecb40e8e08e1edb6f263e3cea7f0c038a899fba86558dc43e76e55c4faf2e7fc7e58ab0a899c85f91a6bc13599407874f206a30f7fd48888b7e067cf3300c404
-
Filesize
164KB
MD5fdb3545f540cf9c01e77554593183f49
SHA1f92409feda62120c58932995e077dbe8517603ec
SHA256daf5f4f911bf07edc36460d26a364f186245fb8a56e9a2eabd70419d58cd6895
SHA51257c8c7bf01443e4b41f629ce59bc0cdfe284f95383340a07dd5ad44a667a16b37b5cdf7bf45c5c9297813200615ae0a377e8af2dfc1f4ec3d6e986e5aea68eee
-
Filesize
364KB
MD5a1a6b70aa4be09f143eb7a1955161d05
SHA1a4bfd0de664a856908d693eecbccdb25419b6115
SHA25676ef9561f4337f1bcde75b30b37086e2a7ef3c92f02dab1c25b1dcd064a80c18
SHA512a045a2802d61320d0942d32bdb34cf3478cdc797e2a5432314abf9bc657ad461889d361b33f343a8131e2ecbb2e5e33255318e4dcfbceb10f714f2ebc5864f09
-
Filesize
246KB
MD58f229078323416e1d39175a13cd3668b
SHA15ef306554499245a89f7c3374fcf7778dd7d4880
SHA25644afcdee8a77c039eb00941ac1564936a44bc81f070c609b24af0c81995b5ef4
SHA51251fe5330be4b3100fba6ea1d8dde24de1e4ac77a73a1c8d00628997513e768674454a36fa232ea276f910b18b1f4e620c84a47f4988fbade40e97ccb70b4af48
-
Filesize
2KB
MD5114f51c8e133382bcdebc919d33c5d81
SHA127e3d191919dcb5dce0b878667324c8ecdf5062f
SHA25607a36364faf4bb26fb46d46ea9f2553b58484fb4ed109c3d3e36ca2ce12b16b9
SHA512782e4e9f7586b1defabc91675aa4ad26ce9ba3a2caaff5d2487c0d382e8582558a31c51ae20f3f4f07b762c9e594ef9d6e2eb2a6c16aa249c73b0cbd857faa61
-
Filesize
1000B
MD5d453202d8232b602218441b59b945265
SHA111c6a47fd44c9ae39fee7ff428cf4ee9b92337a9
SHA256340569335d39de8184e9ea87bd3888d322cfaca127522b407f0279a4441c7147
SHA512701ac99e1406d39ec55dadbc201b99301e949dcb3ef7f26228d96ae3d14c759135056a42c68fe4b527e279aa23517555b037ee19ed56e4246981ff37cc530891
-
Filesize
2KB
MD52eb702965aeabb66a1ce760bffbe5d75
SHA1356e3395cb57bd0999ad880b75f4b090f7ed5280
SHA256c88861cef0572764300091ab10e857f28e603cea679638c8c919145006eae871
SHA51209bc89f5910dc7c324948d880d60d7b87523bae73a628881837afc5492705f56e4c7214c22519a41080b50d7d64e3ced585072fbbfbb7adf968ee20861df41ed
-
Filesize
923B
MD555bc4c4831db98457a0134293f270124
SHA1651f0e86ada21e2f95f919fd0364099d4ca34f4e
SHA256894e3cea04571f7cb39d18e72293dc5908363ba183b79d2a0873688decb0256b
SHA51291c64fe850c807172ab44aa5b08f0b3073e1d7782f3464e9f24e4818098c609991c7192243eac99f243a6d0209ad6d25e04a2a4bb7bdab585ee5d1ad20d25943
-
Filesize
136KB
MD516e5a492c9c6ae34c59683be9c51fa31
SHA197031b41f5c56f371c28ae0d62a2df7d585adaba
SHA25635c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66
SHA51220fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6