Analysis

  • max time kernel
    300s
  • max time network
    305s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240508-en
  • resource tags

    arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    30/05/2024, 13:55

General

  • Target

    Nursultan Nextgen.exe

  • Size

    462KB

  • MD5

    868b277b120c928954c671c863d6884f

  • SHA1

    62729969b44bd2f5a787fa54129a0dd829ae93e9

  • SHA256

    674ee967fdc01596ad81dc9b25dd33d64effdc2d5fa589308ff5b9d2b75d3214

  • SHA512

    3c5a99f143ea9f086be54ad5d489d2647664b5493526934fd0d6d7b51fffa2ba6099a465c537d891f7230c32891690e22fae9cd094e5df1d892621034ebbfe39

  • SSDEEP

    6144:yMNCVV9MK212l08je6VlWT8b9UELmSdTwbn5igrWyb8elMKPr5m:yM2LZ21V8jPVle8BpcbndWDiMKPr8

Score
10/10

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 3 IoCs
  • Modifies AppInit DLL entries 2 TTPs
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 64 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Start PowerShell.

  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 58 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 64 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 47 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe
    "C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1924
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Word" /tr "C:\Users\Public\Pictures\OpenOffice" & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4192
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Word" /tr "C:\Users\Public\Pictures\OpenOffice"
        3⤵
        • Creates scheduled task(s)
        PID:3212
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2808
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
        3⤵
        • Creates scheduled task(s)
        PID:1192
    • C:\Windows\SYSTEM32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Jira Update" /tr "C:\Windows\Dropbox" /RL HIGHEST & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2164
      • C:\Windows\system32\schtasks.exe
        SchTaSKs /create /f /sc minute /mo 5 /tn "Jira Update" /tr "C:\Windows\Dropbox" /RL HIGHEST
        3⤵
          PID:540
      • C:\Windows\SYSTEM32\CMD.exe
        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4160
        • C:\Windows\system32\schtasks.exe
          SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
          3⤵
            PID:3596
        • C:\Windows\SYSTEM32\CMD.exe
          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2180
          • C:\Windows\system32\schtasks.exe
            SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
            3⤵
            • Creates scheduled task(s)
            PID:1536
        • C:\Windows\SYSTEM32\CMD.exe
          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2396
          • C:\Windows\system32\schtasks.exe
            SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
            3⤵
            • Creates scheduled task(s)
            PID:3900
        • C:\Windows\SYSTEM32\CMD.exe
          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4424
          • C:\Windows\system32\schtasks.exe
            SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
            3⤵
            • Creates scheduled task(s)
            PID:4840
        • C:\Windows\SYSTEM32\CMD.exe
          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3536
          • C:\Windows\system32\schtasks.exe
            SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
            3⤵
            • Creates scheduled task(s)
            PID:4064
        • C:\Windows\SYSTEM32\CMD.exe
          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3540
          • C:\Windows\system32\schtasks.exe
            SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
            3⤵
              PID:1148
          • C:\Windows\SYSTEM32\CMD.exe
            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1488
            • C:\Windows\system32\schtasks.exe
              SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
              3⤵
              • Creates scheduled task(s)
              PID:4252
          • C:\Windows\SYSTEM32\CMD.exe
            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:3436
            • C:\Windows\system32\schtasks.exe
              SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
              3⤵
              • Creates scheduled task(s)
              PID:2972
          • C:\Windows\SYSTEM32\CMD.exe
            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:3836
            • C:\Windows\system32\schtasks.exe
              SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
              3⤵
              • Creates scheduled task(s)
              PID:4756
          • C:\Windows\SYSTEM32\CMD.exe
            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2732
            • C:\Windows\system32\schtasks.exe
              SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
              3⤵
              • Creates scheduled task(s)
              PID:1132
          • C:\Windows\SYSTEM32\CMD.exe
            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1460
            • C:\Windows\system32\schtasks.exe
              SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
              3⤵
              • Creates scheduled task(s)
              PID:4840
          • C:\Windows\SYSTEM32\CMD.exe
            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2084
            • C:\Windows\system32\schtasks.exe
              SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
              3⤵
              • Creates scheduled task(s)
              PID:2324
          • C:\Windows\SYSTEM32\CMD.exe
            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:536
            • C:\Windows\system32\schtasks.exe
              SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
              3⤵
                PID:3856
            • C:\Windows\SYSTEM32\CMD.exe
              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
              2⤵
                PID:2024
                • C:\Windows\system32\schtasks.exe
                  SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                  3⤵
                    PID:2652
                • C:\Windows\SYSTEM32\CMD.exe
                  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                  2⤵
                    PID:4476
                    • C:\Windows\system32\schtasks.exe
                      SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                      3⤵
                        PID:4868
                    • C:\Windows\SYSTEM32\CMD.exe
                      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                      2⤵
                        PID:752
                        • C:\Windows\system32\schtasks.exe
                          SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                          3⤵
                          • Creates scheduled task(s)
                          PID:3144
                      • C:\Windows\SYSTEM32\CMD.exe
                        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                        2⤵
                          PID:3748
                          • C:\Windows\system32\schtasks.exe
                            SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                            3⤵
                            • Creates scheduled task(s)
                            PID:1472
                        • C:\Windows\SYSTEM32\CMD.exe
                          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                          2⤵
                            PID:2324
                            • C:\Windows\system32\schtasks.exe
                              SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                              3⤵
                              • Creates scheduled task(s)
                              PID:1344
                          • C:\Windows\SYSTEM32\CMD.exe
                            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                            2⤵
                              PID:3152
                              • C:\Windows\system32\schtasks.exe
                                SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                3⤵
                                • Creates scheduled task(s)
                                PID:4144
                            • C:\Windows\SYSTEM32\CMD.exe
                              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                              2⤵
                                PID:3432
                                • C:\Windows\system32\schtasks.exe
                                  SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                  3⤵
                                    PID:1488
                                • C:\Windows\SYSTEM32\CMD.exe
                                  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                  2⤵
                                    PID:3836
                                    • C:\Windows\system32\schtasks.exe
                                      SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                      3⤵
                                      • Creates scheduled task(s)
                                      PID:2024
                                  • C:\Windows\SYSTEM32\CMD.exe
                                    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                    2⤵
                                      PID:2028
                                      • C:\Windows\system32\schtasks.exe
                                        SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                        3⤵
                                          PID:4476
                                      • C:\Windows\SYSTEM32\CMD.exe
                                        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                        2⤵
                                          PID:2836
                                          • C:\Windows\system32\schtasks.exe
                                            SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                            3⤵
                                              PID:1132
                                          • C:\Windows\SYSTEM32\CMD.exe
                                            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                            2⤵
                                              PID:3144
                                              • C:\Windows\system32\schtasks.exe
                                                SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                                3⤵
                                                  PID:1900
                                              • C:\Windows\System32\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe"' & exit
                                                2⤵
                                                  PID:2668
                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe"'
                                                    3⤵
                                                    • Loads dropped DLL
                                                    • Command and Scripting Interpreter: PowerShell
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:2268
                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe
                                                      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe"
                                                      4⤵
                                                      • Executes dropped EXE
                                                      • Modifies registry class
                                                      • Suspicious use of SetWindowsHookEx
                                                      PID:2496
                                                • C:\Windows\SYSTEM32\CMD.exe
                                                  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                                  2⤵
                                                    PID:3856
                                                    • C:\Windows\system32\schtasks.exe
                                                      SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                                      3⤵
                                                        PID:3220
                                                    • C:\Windows\SYSTEM32\CMD.exe
                                                      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                                      2⤵
                                                        PID:3668
                                                        • C:\Windows\system32\schtasks.exe
                                                          SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                                          3⤵
                                                            PID:1292
                                                        • C:\Windows\SYSTEM32\CMD.exe
                                                          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                                          2⤵
                                                            PID:408
                                                            • C:\Windows\system32\schtasks.exe
                                                              SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                                              3⤵
                                                                PID:1424
                                                            • C:\Windows\SYSTEM32\CMD.exe
                                                              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                                              2⤵
                                                                PID:636
                                                                • C:\Windows\system32\schtasks.exe
                                                                  SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                                                  3⤵
                                                                    PID:4868
                                                                • C:\Windows\SYSTEM32\CMD.exe
                                                                  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                                                  2⤵
                                                                    PID:2896
                                                                    • C:\Windows\system32\schtasks.exe
                                                                      SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                                                      3⤵
                                                                      • Creates scheduled task(s)
                                                                      PID:1068
                                                                  • C:\Windows\SYSTEM32\CMD.exe
                                                                    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                                                    2⤵
                                                                      PID:1132
                                                                      • C:\Windows\system32\schtasks.exe
                                                                        SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                                                        3⤵
                                                                        • Creates scheduled task(s)
                                                                        PID:5008
                                                                    • C:\Windows\SYSTEM32\CMD.exe
                                                                      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                                                      2⤵
                                                                        PID:4004
                                                                        • C:\Windows\system32\schtasks.exe
                                                                          SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                                                          3⤵
                                                                          • Creates scheduled task(s)
                                                                          PID:2172
                                                                      • C:\Windows\SYSTEM32\CMD.exe
                                                                        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                                                        2⤵
                                                                          PID:4712
                                                                          • C:\Windows\system32\schtasks.exe
                                                                            SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                                                            3⤵
                                                                              PID:3820
                                                                          • C:\Windows\SYSTEM32\CMD.exe
                                                                            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                                                            2⤵
                                                                              PID:1528
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                                                                3⤵
                                                                                  PID:1140
                                                                              • C:\Windows\SYSTEM32\CMD.exe
                                                                                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                                                                2⤵
                                                                                  PID:4700
                                                                                  • C:\Windows\system32\schtasks.exe
                                                                                    SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                                                                    3⤵
                                                                                      PID:2760
                                                                                  • C:\Windows\SYSTEM32\CMD.exe
                                                                                    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                                                                    2⤵
                                                                                      PID:1652
                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                        SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                                                                        3⤵
                                                                                          PID:408
                                                                                      • C:\Windows\SYSTEM32\CMD.exe
                                                                                        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                                                                        2⤵
                                                                                          PID:4324
                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                            SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                                                                            3⤵
                                                                                            • Creates scheduled task(s)
                                                                                            PID:3852
                                                                                        • C:\Windows\SYSTEM32\CMD.exe
                                                                                          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                                                                          2⤵
                                                                                            PID:2240
                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                              SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                                                                              3⤵
                                                                                                PID:3340
                                                                                            • C:\Windows\SYSTEM32\CMD.exe
                                                                                              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                                                                              2⤵
                                                                                                PID:3704
                                                                                                • C:\Windows\system32\schtasks.exe
                                                                                                  SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                                                                                  3⤵
                                                                                                  • Creates scheduled task(s)
                                                                                                  PID:1888
                                                                                              • C:\Windows\SYSTEM32\CMD.exe
                                                                                                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                                                                                2⤵
                                                                                                  PID:1900
                                                                                                  • C:\Windows\system32\schtasks.exe
                                                                                                    SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                                                                                    3⤵
                                                                                                      PID:3160
                                                                                                  • C:\Windows\SYSTEM32\CMD.exe
                                                                                                    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                                                                                    2⤵
                                                                                                      PID:1532
                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                        SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                                                                                        3⤵
                                                                                                        • Creates scheduled task(s)
                                                                                                        PID:540
                                                                                                    • C:\Windows\SYSTEM32\CMD.exe
                                                                                                      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                                                                                      2⤵
                                                                                                        PID:4016
                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                          SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                                                                                          3⤵
                                                                                                          • Creates scheduled task(s)
                                                                                                          PID:4860
                                                                                                      • C:\Windows\SYSTEM32\CMD.exe
                                                                                                        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                                                                                        2⤵
                                                                                                          PID:2204
                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                            SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                                                                                            3⤵
                                                                                                            • Creates scheduled task(s)
                                                                                                            PID:4868
                                                                                                        • C:\Windows\SYSTEM32\CMD.exe
                                                                                                          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                                                                                          2⤵
                                                                                                            PID:5068
                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                              SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                                                                                              3⤵
                                                                                                              • Creates scheduled task(s)
                                                                                                              PID:2768
                                                                                                          • C:\Windows\SYSTEM32\CMD.exe
                                                                                                            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                                                                                            2⤵
                                                                                                              PID:3520
                                                                                                              • C:\Windows\system32\schtasks.exe
                                                                                                                SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                                                                                                3⤵
                                                                                                                • Creates scheduled task(s)
                                                                                                                PID:4500
                                                                                                            • C:\Windows\SYSTEM32\CMD.exe
                                                                                                              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                                                                                              2⤵
                                                                                                                PID:4972
                                                                                                                • C:\Windows\system32\schtasks.exe
                                                                                                                  SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                                                                                                  3⤵
                                                                                                                  • Creates scheduled task(s)
                                                                                                                  PID:3892
                                                                                                              • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                                                                                                2⤵
                                                                                                                  PID:3520
                                                                                                                  • C:\Windows\system32\schtasks.exe
                                                                                                                    SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                                                                                                    3⤵
                                                                                                                    • Creates scheduled task(s)
                                                                                                                    PID:4788
                                                                                                                • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                                                                                                  2⤵
                                                                                                                    PID:2888
                                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                                      SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                                                                                                      3⤵
                                                                                                                        PID:2000
                                                                                                                    • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                                                                                                      2⤵
                                                                                                                        PID:1464
                                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                                          SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                                                                                                          3⤵
                                                                                                                            PID:1444
                                                                                                                        • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                                                                                                          2⤵
                                                                                                                            PID:4724
                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                              SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                                                                                                              3⤵
                                                                                                                              • Creates scheduled task(s)
                                                                                                                              PID:4512
                                                                                                                          • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                                                                                                            2⤵
                                                                                                                              PID:3780
                                                                                                                              • C:\Windows\system32\schtasks.exe
                                                                                                                                SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                                                                                                                3⤵
                                                                                                                                • Creates scheduled task(s)
                                                                                                                                PID:4832
                                                                                                                            • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                                                                                                              2⤵
                                                                                                                                PID:3656
                                                                                                                                • C:\Windows\system32\schtasks.exe
                                                                                                                                  SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                                                                                                                  3⤵
                                                                                                                                    PID:2264
                                                                                                                                • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                                                                                                                  2⤵
                                                                                                                                    PID:3912
                                                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                                                      SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                                                                                                                      3⤵
                                                                                                                                      • Creates scheduled task(s)
                                                                                                                                      PID:4324
                                                                                                                                  • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                                                                                                                    2⤵
                                                                                                                                      PID:704
                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                        SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                                                                                                                        3⤵
                                                                                                                                        • Creates scheduled task(s)
                                                                                                                                        PID:3104
                                                                                                                                    • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                                                                                                                      2⤵
                                                                                                                                        PID:2236
                                                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                                                          SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                                                                                                                          3⤵
                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                          PID:2560
                                                                                                                                      • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                                                                                                                        2⤵
                                                                                                                                          PID:1172
                                                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                                                            SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                                                                                                                            3⤵
                                                                                                                                            • Creates scheduled task(s)
                                                                                                                                            PID:1876
                                                                                                                                        • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                                                                                                                          2⤵
                                                                                                                                            PID:3612
                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                              SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                                                                                                                              3⤵
                                                                                                                                              • Creates scheduled task(s)
                                                                                                                                              PID:3556
                                                                                                                                          • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                                                                                                                            2⤵
                                                                                                                                              PID:820
                                                                                                                                              • C:\Windows\system32\schtasks.exe
                                                                                                                                                SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                                                                                                                                3⤵
                                                                                                                                                • Creates scheduled task(s)
                                                                                                                                                PID:1904
                                                                                                                                            • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                                                                                                                              2⤵
                                                                                                                                                PID:4640
                                                                                                                                                • C:\Windows\system32\schtasks.exe
                                                                                                                                                  SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                                                                                                                                  3⤵
                                                                                                                                                  • Creates scheduled task(s)
                                                                                                                                                  PID:3396
                                                                                                                                              • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                                                                                                                                2⤵
                                                                                                                                                  PID:3820
                                                                                                                                                  • C:\Windows\system32\schtasks.exe
                                                                                                                                                    SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                                                                                                                                    3⤵
                                                                                                                                                    • Creates scheduled task(s)
                                                                                                                                                    PID:4112
                                                                                                                                                • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                                                                                                                                  2⤵
                                                                                                                                                    PID:3104
                                                                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                                                                      SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                                                                                                                                      3⤵
                                                                                                                                                      • Creates scheduled task(s)
                                                                                                                                                      PID:3140
                                                                                                                                                  • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                                                                                                                                    2⤵
                                                                                                                                                      PID:3168
                                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                                        SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                                                                                                                                        3⤵
                                                                                                                                                        • Creates scheduled task(s)
                                                                                                                                                        PID:2408
                                                                                                                                                    • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                                                                                                                                      2⤵
                                                                                                                                                        PID:568
                                                                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                                                                          SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                                                                                                                                          3⤵
                                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                                          PID:3880
                                                                                                                                                      • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                                                                                                                                        2⤵
                                                                                                                                                          PID:3892
                                                                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                                                                            SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                                                                                                                                            3⤵
                                                                                                                                                            • Creates scheduled task(s)
                                                                                                                                                            PID:3728
                                                                                                                                                        • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                                                                                                                                          2⤵
                                                                                                                                                            PID:2532
                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                              SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                                                                                                                                              3⤵
                                                                                                                                                                PID:4364
                                                                                                                                                            • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                                                                                                                                              2⤵
                                                                                                                                                                PID:4572
                                                                                                                                                                • C:\Windows\system32\schtasks.exe
                                                                                                                                                                  SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                                                                                                                                                  3⤵
                                                                                                                                                                  • Creates scheduled task(s)
                                                                                                                                                                  PID:2604
                                                                                                                                                              • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                                                                                                                                                2⤵
                                                                                                                                                                  PID:764
                                                                                                                                                                  • C:\Windows\system32\schtasks.exe
                                                                                                                                                                    SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                                                                                                                                                    3⤵
                                                                                                                                                                    • Creates scheduled task(s)
                                                                                                                                                                    PID:1252
                                                                                                                                                                • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                                                                                                                                                  2⤵
                                                                                                                                                                    PID:4612
                                                                                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                                                                                      SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                                                                                                                                                      3⤵
                                                                                                                                                                      • Creates scheduled task(s)
                                                                                                                                                                      PID:2768
                                                                                                                                                                  • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                                                                                                                                                    2⤵
                                                                                                                                                                      PID:4996
                                                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                                                        SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                                                                                                                                                        3⤵
                                                                                                                                                                          PID:1628
                                                                                                                                                                      • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                                                                                                                                                        2⤵
                                                                                                                                                                          PID:1464
                                                                                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                                                                                            SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                                                                                                                                                            3⤵
                                                                                                                                                                            • Creates scheduled task(s)
                                                                                                                                                                            PID:4508
                                                                                                                                                                        • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                                                                                                                                                          2⤵
                                                                                                                                                                            PID:564
                                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                                              SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                                                                                                                                                              3⤵
                                                                                                                                                                              • Creates scheduled task(s)
                                                                                                                                                                              PID:4044
                                                                                                                                                                          • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                                                                                                                                                            2⤵
                                                                                                                                                                              PID:4464
                                                                                                                                                                              • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                                                                                                                                                                3⤵
                                                                                                                                                                                • Creates scheduled task(s)
                                                                                                                                                                                PID:3036
                                                                                                                                                                            • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                                                                                                                                                              2⤵
                                                                                                                                                                                PID:1204
                                                                                                                                                                                • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                  SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                                                                                                                                                                  3⤵
                                                                                                                                                                                    PID:4164
                                                                                                                                                                                • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                                                                                                                                                                  2⤵
                                                                                                                                                                                    PID:4496
                                                                                                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                      SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                                                                                                                                                                      3⤵
                                                                                                                                                                                      • Creates scheduled task(s)
                                                                                                                                                                                      PID:2972
                                                                                                                                                                                  • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                                                                                                                                                                    2⤵
                                                                                                                                                                                      PID:3924
                                                                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                        SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                                                                                                                                                                        3⤵
                                                                                                                                                                                        • Creates scheduled task(s)
                                                                                                                                                                                        PID:4856
                                                                                                                                                                                    • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                                                                                                                                                                      2⤵
                                                                                                                                                                                        PID:4248
                                                                                                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                          SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                                                                                                                                                                          3⤵
                                                                                                                                                                                          • Creates scheduled task(s)
                                                                                                                                                                                          PID:3684
                                                                                                                                                                                      • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                                                                                                                                                                        2⤵
                                                                                                                                                                                          PID:764
                                                                                                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                            SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                                                                                                                                                                            3⤵
                                                                                                                                                                                            • Creates scheduled task(s)
                                                                                                                                                                                            PID:988
                                                                                                                                                                                        • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                                                                                                                                                                          2⤵
                                                                                                                                                                                            PID:3920
                                                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                              SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                                                                                                                                                                              3⤵
                                                                                                                                                                                              • Creates scheduled task(s)
                                                                                                                                                                                              PID:636
                                                                                                                                                                                          • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                                                                                                                                                                            2⤵
                                                                                                                                                                                              PID:2408
                                                                                                                                                                                              • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                                                                                                                                                                                3⤵
                                                                                                                                                                                                • Creates scheduled task(s)
                                                                                                                                                                                                PID:3056
                                                                                                                                                                                            • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                                                                                                                                                                              2⤵
                                                                                                                                                                                                PID:4512
                                                                                                                                                                                                • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                  SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                  • Creates scheduled task(s)
                                                                                                                                                                                                  PID:2760
                                                                                                                                                                                              • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                                                                                                                                                                                2⤵
                                                                                                                                                                                                  PID:4724
                                                                                                                                                                                                  • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                    SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                      PID:1344
                                                                                                                                                                                                  • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                      PID:3612
                                                                                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                        SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                        • Creates scheduled task(s)
                                                                                                                                                                                                        PID:4860
                                                                                                                                                                                                    • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                        PID:3836
                                                                                                                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                          SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                                                                                                                                                                                          3⤵
                                                                                                                                                                                                            PID:4492
                                                                                                                                                                                                        • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                            PID:1264
                                                                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                              SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                              • Creates scheduled task(s)
                                                                                                                                                                                                              PID:4388
                                                                                                                                                                                                          • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                            "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                                                                                                                                                                                            2⤵
                                                                                                                                                                                                              PID:408
                                                                                                                                                                                                              • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                • Creates scheduled task(s)
                                                                                                                                                                                                                PID:5076
                                                                                                                                                                                                            • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                PID:4520
                                                                                                                                                                                                                • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                  SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                  • Creates scheduled task(s)
                                                                                                                                                                                                                  PID:3144
                                                                                                                                                                                                              • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                                                                                                                                                                                                2⤵
                                                                                                                                                                                                                  PID:2016
                                                                                                                                                                                                                  • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                    SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                                                                                                                                                                                                    3⤵
                                                                                                                                                                                                                    • Creates scheduled task(s)
                                                                                                                                                                                                                    PID:4952
                                                                                                                                                                                                                • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                  "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                    PID:688
                                                                                                                                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                      SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                                                                                                                                                                                                      3⤵
                                                                                                                                                                                                                      • Creates scheduled task(s)
                                                                                                                                                                                                                      PID:3420
                                                                                                                                                                                                                  • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                      PID:836
                                                                                                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                        SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                          PID:1688
                                                                                                                                                                                                                      • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                        "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                                          PID:3056
                                                                                                                                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                            SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                                                                                                                                                                                                            3⤵
                                                                                                                                                                                                                            • Creates scheduled task(s)
                                                                                                                                                                                                                            PID:4720
                                                                                                                                                                                                                        • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                          "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                                            PID:4100
                                                                                                                                                                                                                            • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                              SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                                                                                                                                                                                                              3⤵
                                                                                                                                                                                                                                PID:1604
                                                                                                                                                                                                                            • C:\Windows\SYSTEM32\CMD.exe
                                                                                                                                                                                                                              "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                                                PID:2176
                                                                                                                                                                                                                                • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                  SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                                                                                                                                                                                                                  3⤵
                                                                                                                                                                                                                                  • Creates scheduled task(s)
                                                                                                                                                                                                                                  PID:3400
                                                                                                                                                                                                                            • C:\Windows\system32\wbem\WmiApSrv.exe
                                                                                                                                                                                                                              C:\Windows\system32\wbem\WmiApSrv.exe
                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                              • Loads dropped DLL
                                                                                                                                                                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                              PID:4716
                                                                                                                                                                                                                            • C:\Windows\system32\svchost.exe
                                                                                                                                                                                                                              C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                              • Loads dropped DLL
                                                                                                                                                                                                                              PID:3800
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\DllHost.exe
                                                                                                                                                                                                                              C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                PID:2160
                                                                                                                                                                                                                              • C:\Users\Admin\Desktop\Trojan.exe
                                                                                                                                                                                                                                "C:\Users\Admin\Desktop\Trojan.exe"
                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                • Modifies WinLogon for persistence
                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                • Adds Run key to start application
                                                                                                                                                                                                                                • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                                                                PID:1676
                                                                                                                                                                                                                                • C:\Windows\explorer.exe
                                                                                                                                                                                                                                  "C:\Windows\explorer.exe"
                                                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                                                  • Modifies Installed Components in the registry
                                                                                                                                                                                                                                  • Loads dropped DLL
                                                                                                                                                                                                                                  • Enumerates connected drives
                                                                                                                                                                                                                                  • Checks SCSI registry key(s)
                                                                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                                                                  • Suspicious behavior: GetForegroundWindowSpam
                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                  • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                                                                  • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                  PID:328
                                                                                                                                                                                                                              • C:\Windows\explorer.exe
                                                                                                                                                                                                                                explorer.exe
                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                  PID:4900
                                                                                                                                                                                                                                • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                                                                                                                  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                  PID:2436
                                                                                                                                                                                                                                • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
                                                                                                                                                                                                                                  "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                  • Enumerates system info in registry
                                                                                                                                                                                                                                  • Modifies Internet Explorer settings
                                                                                                                                                                                                                                  • Modifies registry class
                                                                                                                                                                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                  PID:3220
                                                                                                                                                                                                                                • C:\Windows\Dropbox
                                                                                                                                                                                                                                  C:\Windows\Dropbox
                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                  • Drops file in Windows directory
                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                  PID:2532
                                                                                                                                                                                                                                  • C:\Windows\system32\CMD.exe
                                                                                                                                                                                                                                    "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
                                                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                                                      PID:796
                                                                                                                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                        SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
                                                                                                                                                                                                                                        3⤵
                                                                                                                                                                                                                                          PID:2788

                                                                                                                                                                                                                                    Network

                                                                                                                                                                                                                                    MITRE ATT&CK Enterprise v15

                                                                                                                                                                                                                                    Replay Monitor

                                                                                                                                                                                                                                    Loading Replay Monitor...

                                                                                                                                                                                                                                    Downloads

                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      14KB

                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                      aaf0727cf0ee91c7458cfef415781516

                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                      8e32852edcc8535e40f7c7f3053be6ca33a43a05

                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                      5b2ee6599886cf76f56ba490ed095d99ee6f7581366b097107e2901c260ca7c9

                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                      1af368e734db987b9895bae27eb57f99b2e39c111b8bea1f181f452a5f2103147e5cdc03b01d683b098085a2158b3fc85e278993819caca1bd343c4e6a6882e1

                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\H3PMCBH8\www.bing[1].xml

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      17KB

                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                      bc54c11989d696eef9c2e76ecd8ff0f8

                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                      261cadaef9db945e2b20b88e49b2f9654d529fb1

                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                      1300bffd5651af8acf6d0b8b6b8aa6b12e692c628b17e841ee8c047fae188cc9

                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                      bc4e0cf6857069c8ff683671772f59c97daf560217f1adc20a8b62144d5ebbdf44d58150634468e5633fa327b0475b09ddcbcba729334b7b7e2e7f31993dec7c

                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v0nctzun.xhg.ps1

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      60B

                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                      d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                      6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                                                                                                                                    • C:\Users\Admin\Desktop\CompareComplete.vdx

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      293KB

                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                      f88fcd1e6ca9766fe6c3b5bd65fea9cd

                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                      826a34de80198e83fdda3789bf2704f4c41191a1

                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                      ef7d8e03dba23a11040a02caad54a4933ff9ba367479dfc42c1fa9b030e0f9c0

                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                      46684145d45db73c1958f0c3e75339a6ae56c95cb63c34549c60f704bfa7ca729a8aefa80a34785eb64810ace8987ae41a0a8190fceec17a4f287c3d5f2e14c8

                                                                                                                                                                                                                                    • C:\Users\Admin\Desktop\ConfirmRequest.3gp2

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      470KB

                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                      d615655c1da145b5c06ec8144d00c818

                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                      2bc3a790e7b2570f92cd6315dc4fb28f548d1766

                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                      ef9d773870f22b7a578fd1bd4c822558c7a87cfed4147b66298a21f1996a2584

                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                      d5cb20655683e910338b686ef37a480d220038a8eeb9d9fe4117602926d52c56949ad766a92cea5b74ef7b1876a8ee3d43132c9e2de0f6ccacb2c0c6d4ed3852

                                                                                                                                                                                                                                    • C:\Users\Admin\Desktop\ConvertFromCheckpoint.3gp2

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      329KB

                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                      4f1a470fa86ad9c1a84c8ddb4329d76a

                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                      f1b57d3ef553559dc97d067749abd00718f73df5

                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                      da86928c95c6a2a50524bb113270bb92d34be06f0e959a0cb0437bd8412195a2

                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                      e86f1e96819e7c0f1b5f5a2e8adcfad0b99a8661c03a17b273b5eac4d50279d835735d91a35838b805d916d9d38734045c750b299874bb3e681e03ff8e320a0a

                                                                                                                                                                                                                                    • C:\Users\Admin\Desktop\ConvertFromSplit.m1v

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      223KB

                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                      5f8f01b0322839c4b264de42d5ea0478

                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                      76657ca936420b03a21854b51c008199e245d7ad

                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                      489b9268cfa0addbbf54898ceb3b74a7a6c92e04a254fd01e136a53eff911b2b

                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                      b8d9044466efbafee1b80674445a222f85df7229f05f520f08bef7669f6496f54816c1e6de41f160b5206ef8c182799b37472dc400b987980b97410ba1248767

                                                                                                                                                                                                                                    • C:\Users\Admin\Desktop\DisconnectStep.dot

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      387KB

                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                      7532b5a89d8e8425c152832a2c4648f8

                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                      577edddfcc1a134f68652f4fd57587a3a3cddeb9

                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                      bef229cba8f70bef94e0bf55d778efb70e01b5f3a18a289300e6f92540d1e947

                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                      4f2feecef28d315818fb4d3cab932abef9a4860f0141555a219fdade479180afe4594d99a43881935e6b5fcd05d9d6d2ffcc1540f927cd4a746d408f855b9885

                                                                                                                                                                                                                                    • C:\Users\Admin\Desktop\EnterWait.rle

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      305KB

                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                      f2903ad311f51cb372d27ff679de48cf

                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                      2b55c95c89448b1bb0403580ffe502c7f5efaa98

                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                      df2e062700bc26ec2419c506ba81d1c57d57602e5451dee96a45015b9d2be3c6

                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                      ad87355e576c64562a49fb0d1d5bd264352cf3d0267c81a885acd890270568080704dfe4d9941082d7c986f91b363131bb44f072d10282045eea726669aa2d4f

                                                                                                                                                                                                                                    • C:\Users\Admin\Desktop\FormatMerge.xml

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      235KB

                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                      fc11c3f8645738a24e5be8277b251fea

                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                      287e28ec2b94d753360d47d76419bbfe3f18336a

                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                      51c2b8e5380629226e3392d2d3678c1575d87744ca23fd99523437e7146c9ce6

                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                      541dbee14b46a8d21eba071b509e8c52707e88014c1f2fafd38d46731bbd28d12994e33964cc96aa6bf9f5638050876d10bb332da9bce11a89b0e7de201b4c94

                                                                                                                                                                                                                                    • C:\Users\Admin\Desktop\GetClose.eps

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      411KB

                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                      11995c714b2b79d7d96bdefe5dc39954

                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                      ab2ddfdb3b802255cd2d1366918b790d49c60168

                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                      4b11b2b324acd139264b2329e7ada7aca2d3f874e9876196b92e3a981850bf15

                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                      ba46b6cd47cd1fc0027e0e8c96a224d56799d0c66e7f495a276fda16b7abd54bfd76913c6e2453e228334827f0cdf39cf66796a63e9e4f5d293b0df5e29c0803

                                                                                                                                                                                                                                    • C:\Users\Admin\Desktop\GrantInstall.m4a

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      282KB

                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                      68c033be62acaceee0cc9257ff9b262b

                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                      2e2debcf187a2333ec1e1bb659749a8975e66643

                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                      ec85ebef573b20e217475bb7beb915716c6b14dc97f8ce85128d1729d1005a0a

                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                      3c0f6791690fc52ea3787d0c6c8f1fa90ab4fdfed52f3add92baa04c6b747c4dee6d198aaaef12de49e6e27debcab6c65b0bc955367af980c555547007d4e749

                                                                                                                                                                                                                                    • C:\Users\Admin\Desktop\GroupSend.mht

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      340KB

                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                      10012a4b16d530d3e4de5573b36ededb

                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                      0e6ff57a2061c1a76f40d01936ccb3cfb38fca5e

                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                      90ecf9102118aa8fd8492076e5d15daffecedf2c54bac4313df206fd77881edd

                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                      f899c3b2aab4b07172ed49778f5e444e377ec173906374fde226cf2cf3ca71d988fe2e88e8bc73fe0b41d5e9094f6df7f43944d735a096da6f228405568d4fea

                                                                                                                                                                                                                                    • C:\Users\Admin\Desktop\InitializeRedo.cr2

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      317KB

                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                      1d26b70686532658fcbbf4c1b447969f

                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                      01065f76b72acae0ef611a4a68c9f2fdb1f1a430

                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                      71c626b6e4a4b142ab497ccd38705332cf40ab2b8a0252312ecd86868e6a5644

                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                      34128a96f36be2f8c994948a5d5b7190872c131554450ffbc3447d4ed155493e0fe070d294e24e92aebf7906022d20a9aa9a0cdc0bf6892cec6b31f183465629

                                                                                                                                                                                                                                    • C:\Users\Admin\Desktop\InstallSwitch.hta

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      211KB

                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                      8bacaee4387e7e47d87fb0d54497f1d7

                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                      df0be17ddc6f1e528546cfbbed903426d5d99558

                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                      24b372fb5191a33432378d520c855d8f1452c85571f3e2421c6c627eee613178

                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                      cc79de918cb323834ad9cfd3dd759af472002ce0fcd9d0ff3074e234fcce5b11fd278e8ae95b1f3563e482f5f17d2e28bc73a7e6c1a369c33b4e90bb6da03458

                                                                                                                                                                                                                                    • C:\Users\Admin\Desktop\LimitShow.potm

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      646KB

                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                      89fb9fdfceba969c7f5c316ea1de2029

                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                      90249c12deaca4b9b565bb746a91eedfa7e03ec3

                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                      0a6552ca1ff7e7383df6fb4dc2b6663be74704f961806b73c8788e36a5d87f5c

                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                      efb3e88044e88f34c270b2c9068249db9b7f9ab44264cf4eb037cbb49bce6937541846cddb0aaa1005c5628cd10cf818843811ef56a236525e1826d30586c1f1

                                                                                                                                                                                                                                    • C:\Users\Admin\Desktop\Microsoft Edge.lnk

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      2KB

                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                      dbe9e061ccb1838728e19eb472a45cc6

                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                      b304395ac69541054753ac075ff3679f7296f895

                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                      f3f21aa9b341aa2291ba0d97029cdc57dd322b27bd965691bbbcd049ae40db64

                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                      951f60c43ba95e1aa8d05536031ee2ed64df609d11051fd103deae62cdee07b29745f23db00960ceacad2982847729446adb18d159ec6cbe781222a81a3e0ff8

                                                                                                                                                                                                                                    • C:\Users\Admin\Desktop\PopPush.lnk

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      446KB

                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                      9b777d8bc0888e7d2f932b8136b5b341

                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                      b693cc7d25b1824f2afdb6a8464919e82fdd917b

                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                      710df260a01a3d1c77ac266dd37ea2d0841dae4592bb4941d1ab1e56432db630

                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                      d973fdea5cdde00000ccb3b771fff3c4e0a7005c2fc0f8e4c9a0c5dc1b24ecbe9101906e6a7a813cd5344f3ebd305500810d314bad8ddf44134e0845fd907bff

                                                                                                                                                                                                                                    • C:\Users\Admin\Desktop\PushCompare.emf

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      270KB

                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                      b26c16377111ab71b7e96ec4c3998c7e

                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                      3c12f809fb39c880756f361b0199ea14ac87d30c

                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                      30e8e302a0fb63755b1c8d8c61ed0579b73a4d0398ebf1cd933c9cb00616fc60

                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                      e45aaf78b7cba21a9282564f9a722cd2dfbce52991a8bdf0dbce21a644eefd693c436651299d639476472013036108eee41866ac6ac00e1659607a16a62e07b1

                                                                                                                                                                                                                                    • C:\Users\Admin\Desktop\ResumeExpand.hta

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      258KB

                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                      3e1a70bcb519441f0e3d75960d6b9198

                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                      d2c195bd9f86c894b3f043735982a60edb3c282b

                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                      2776f631d94da0f5f799ff1fffc5fe430726eb2bf7b14c56c1c6134382b35c4b

                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                      2d8c8a43d51e54ef62610ad98f2df05c90ae6cc54a215d8d14e64987fcfd6d912b1ab9e2fa9ffafd1fd69d62268bcdbfb903d3c640bb83ee1db598a5749b07ea

                                                                                                                                                                                                                                    • C:\Users\Admin\Desktop\ResumeFormat.rtf

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      423KB

                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                      982ffcac235aec27f7a66e99b78bc3b1

                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                      18ff4d2c10b29d666e4fceb7633babac8b81f499

                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                      9a54de0b697826e3ac6d66b29d560abaf132ef4e327153c94be625e43a111b5f

                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                      bc1fb2b8970032ebe486d4bff9bb2488c5c170dd0cde9cb9ff6f792d86730125561287fb67528cb645e340f7f297be53cc985612ad27d22c8524814eaf38fde9

                                                                                                                                                                                                                                    • C:\Users\Admin\Desktop\SendDisable.wma

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      376KB

                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                      eabd228a4585db7420a3b1fadcbea294

                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                      ade2ff691f167ed8d9e97b8d8f1bd941dcdda26e

                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                      d897e38d68ce191bd7dfbe178a0fa624bc5676c2cb53233f4bbc880cf51be979

                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                      f2891934035d7b4766eae1a0ae489cde3a5e8576d6cca0c0f30890812aef674b98f868478b245ce3b60b9ace61895ef8ce71d04c6f9700439ca399dbf795b28a

                                                                                                                                                                                                                                    • C:\Users\Admin\Desktop\SendUninstall.lock

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      434KB

                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                      8751bff9f7adeea1dd9f3a8e23a70df9

                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                      d98833352f3ace86f8c537b2fa9ef25e5e59afe7

                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                      6a34f0df668cdcdf12bf6ffcf9b6f95dc7178d5278b6ded0249b982eb387f9a7

                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                      06fa2c294caf641ffe558598825f8482145d8a63a176fe88c3dc109838ed6fe3b89e638066d98105f2cc741afcb9cf02f437b27e8e9d9474c4f601ed39eca7b1

                                                                                                                                                                                                                                    • C:\Users\Admin\Desktop\SkipDisable.wvx

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      188KB

                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                      580276b3211d0c7ff94687a72e920c8f

                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                      218fc5289c91d517448765c7b72504ca4727ff9f

                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                      863fba3a91590f20118014c248e541e11afb6cc2f4ca8705d94b986a6376fb6b

                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                      1540dc4f13d81617a1eb85d97bc8061482a110cb2a92e2a74717629917d36e200f81c3b95955a1decb404a5cfd47dfc720dc624a846a05a8486d74f056366234

                                                                                                                                                                                                                                    • C:\Users\Admin\Desktop\StartRead.mp4v

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      458KB

                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                      99c96d03aae8a1aa02f49ec96dfceebd

                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                      740511fcc4b63a00ad4306f4f329d3fc2419e306

                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                      632be0df75214492c4da4864752586210f46c31124fc4b1cecdb78a26e0d94cf

                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                      0c5ce9f0f1a2dc334d903201e99a622661ab8b809bb5b489291b769779191ed6dfb81db333151092136e1023089f1ecf99101a1f166b83ce31c9ac25c8ca33f2

                                                                                                                                                                                                                                    • C:\Users\Admin\Desktop\TracePop.mp2v

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      199KB

                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                      01533025aa92983ffa5dc507b7f3b7e1

                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                      a866136c57c24cfb840b17228494be3570682975

                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                      1c1c555854b11c058b84677c104b0bea9335ad964f0df8cd83e75edf29bde5f0

                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                      098212286d877cb3c3141bd7c4d84561c7318e290b2c7907fe40191eb0fc66a21bce4c736a64177ccc1f61a009f4e79a663b592824e0b8bd1548877ecfd62a4a

                                                                                                                                                                                                                                    • C:\Users\Admin\Desktop\Trojan.exe

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      436KB

                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                      15da9bd223289ddbd72b041017b299f1

                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                      98bd69a39508547ef9226c4bd4ace68c57b0f597

                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                      f8650c9bdfbad7ea71c244b458e1867c45c0c077c4f352666dd9b4cf588299af

                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                      493052b1600edc457799f44563ff192097229ae425fc0d1bba6d854fe77b14c6debe460cb48d583fcbc80e94e9c7d3b077c4693f993ef6b7bef5ffa70e056a60

                                                                                                                                                                                                                                    • C:\Users\Admin\Desktop\UnblockWatch.pptx

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      352KB

                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                      b13ac61595bcd9c170ff6726caa5120e

                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                      2f71593425c9a969c07711ad2ef962baf0bac319

                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                      df8cabc5f6d6a529632e52b6f8c008352e31be627505b1629d2f7f0ebda10b34

                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                      3113a62fd464e7497cf9a32583de7e639458a85ef5bc267ed1ac5e1105185145c927c5268efab8cbe3486bb131fc56aee8494df7266743ca7e747abf65b623aa

                                                                                                                                                                                                                                    • C:\Users\Admin\Desktop\UndoComplete.potx

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      399KB

                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                      f0d35dad01321c20380dd2d3777a223b

                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                      78f3e1e2e924665b148b352f30031ce67b7749bd

                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                      dfaa443085be00c3c5d86ab2203c69a5a9dcb63d2e6486ba786035b2d81a9e3d

                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                      890bbaa0e44b0bc23e0c873ca5a9b2988375d876e10cccadb6c27948b0ef579ebad5996cbfc8a7ea47c53fbfa24bfd4717b17bc3be5af5f545fdef397d802666

                                                                                                                                                                                                                                    • C:\Users\Admin\Desktop\UnprotectSend.MOD

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      176KB

                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                      22a9fb5ea63daf8651734b191f681e07

                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                      0a0ef9bc8ab275cb011011a8ac66d3e13af4dd51

                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                      7abbd30dcbd7ca8b7d0ef1d675d2feb1aa055d672975f862dca163df5f5d9871

                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                      ecb40e8e08e1edb6f263e3cea7f0c038a899fba86558dc43e76e55c4faf2e7fc7e58ab0a899c85f91a6bc13599407874f206a30f7fd48888b7e067cf3300c404

                                                                                                                                                                                                                                    • C:\Users\Admin\Desktop\UnregisterConfirm.vstx

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      164KB

                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                      fdb3545f540cf9c01e77554593183f49

                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                      f92409feda62120c58932995e077dbe8517603ec

                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                      daf5f4f911bf07edc36460d26a364f186245fb8a56e9a2eabd70419d58cd6895

                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                      57c8c7bf01443e4b41f629ce59bc0cdfe284f95383340a07dd5ad44a667a16b37b5cdf7bf45c5c9297813200615ae0a377e8af2dfc1f4ec3d6e986e5aea68eee

                                                                                                                                                                                                                                    • C:\Users\Admin\Desktop\WaitMove.easmx

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      364KB

                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                      a1a6b70aa4be09f143eb7a1955161d05

                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                      a4bfd0de664a856908d693eecbccdb25419b6115

                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                      76ef9561f4337f1bcde75b30b37086e2a7ef3c92f02dab1c25b1dcd064a80c18

                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                      a045a2802d61320d0942d32bdb34cf3478cdc797e2a5432314abf9bc657ad461889d361b33f343a8131e2ecbb2e5e33255318e4dcfbceb10f714f2ebc5864f09

                                                                                                                                                                                                                                    • C:\Users\Admin\Desktop\WatchTest.cab

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      246KB

                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                      8f229078323416e1d39175a13cd3668b

                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                      5ef306554499245a89f7c3374fcf7778dd7d4880

                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                      44afcdee8a77c039eb00941ac1564936a44bc81f070c609b24af0c81995b5ef4

                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                      51fe5330be4b3100fba6ea1d8dde24de1e4ac77a73a1c8d00628997513e768674454a36fa232ea276f910b18b1f4e620c84a47f4988fbade40e97ccb70b4af48

                                                                                                                                                                                                                                    • C:\Users\Public\Desktop\Acrobat Reader DC.lnk

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      2KB

                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                      114f51c8e133382bcdebc919d33c5d81

                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                      27e3d191919dcb5dce0b878667324c8ecdf5062f

                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                      07a36364faf4bb26fb46d46ea9f2553b58484fb4ed109c3d3e36ca2ce12b16b9

                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                      782e4e9f7586b1defabc91675aa4ad26ce9ba3a2caaff5d2487c0d382e8582558a31c51ae20f3f4f07b762c9e594ef9d6e2eb2a6c16aa249c73b0cbd857faa61

                                                                                                                                                                                                                                    • C:\Users\Public\Desktop\Firefox.lnk

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      1000B

                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                      d453202d8232b602218441b59b945265

                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                      11c6a47fd44c9ae39fee7ff428cf4ee9b92337a9

                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                      340569335d39de8184e9ea87bd3888d322cfaca127522b407f0279a4441c7147

                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                      701ac99e1406d39ec55dadbc201b99301e949dcb3ef7f26228d96ae3d14c759135056a42c68fe4b527e279aa23517555b037ee19ed56e4246981ff37cc530891

                                                                                                                                                                                                                                    • C:\Users\Public\Desktop\Google Chrome.lnk

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      2KB

                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                      2eb702965aeabb66a1ce760bffbe5d75

                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                      356e3395cb57bd0999ad880b75f4b090f7ed5280

                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                      c88861cef0572764300091ab10e857f28e603cea679638c8c919145006eae871

                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                      09bc89f5910dc7c324948d880d60d7b87523bae73a628881837afc5492705f56e4c7214c22519a41080b50d7d64e3ced585072fbbfbb7adf968ee20861df41ed

                                                                                                                                                                                                                                    • C:\Users\Public\Desktop\VLC media player.lnk

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      923B

                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                      55bc4c4831db98457a0134293f270124

                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                      651f0e86ada21e2f95f919fd0364099d4ca34f4e

                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                      894e3cea04571f7cb39d18e72293dc5908363ba183b79d2a0873688decb0256b

                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                      91c64fe850c807172ab44aa5b08f0b3073e1d7782f3464e9f24e4818098c609991c7192243eac99f243a6d0209ad6d25e04a2a4bb7bdab585ee5d1ad20d25943

                                                                                                                                                                                                                                    • C:\Windows\xdwd.dll

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      136KB

                                                                                                                                                                                                                                      MD5

                                                                                                                                                                                                                                      16e5a492c9c6ae34c59683be9c51fa31

                                                                                                                                                                                                                                      SHA1

                                                                                                                                                                                                                                      97031b41f5c56f371c28ae0d62a2df7d585adaba

                                                                                                                                                                                                                                      SHA256

                                                                                                                                                                                                                                      35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

                                                                                                                                                                                                                                      SHA512

                                                                                                                                                                                                                                      20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

                                                                                                                                                                                                                                    • memory/1676-1233-0x0000000000400000-0x0000000000474000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      464KB

                                                                                                                                                                                                                                    • memory/1924-44-0x00007FFCF3B90000-0x00007FFCF4652000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      10.8MB

                                                                                                                                                                                                                                    • memory/1924-122-0x000000001B730000-0x000000001B74E000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      120KB

                                                                                                                                                                                                                                    • memory/1924-121-0x0000000002210000-0x000000000221C000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      48KB

                                                                                                                                                                                                                                    • memory/1924-728-0x0000000002220000-0x000000000222C000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      48KB

                                                                                                                                                                                                                                    • memory/1924-120-0x000000001C610000-0x000000001C686000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      472KB

                                                                                                                                                                                                                                    • memory/1924-1-0x0000000000010000-0x000000000008A000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      488KB

                                                                                                                                                                                                                                    • memory/1924-150-0x00007FFCF3B93000-0x00007FFCF3B95000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      8KB

                                                                                                                                                                                                                                    • memory/1924-0-0x00007FFCF3B93000-0x00007FFCF3B95000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      8KB

                                                                                                                                                                                                                                    • memory/1924-259-0x00007FFCF3B90000-0x00007FFCF4652000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      10.8MB

                                                                                                                                                                                                                                    • memory/1924-1005-0x000000001BC20000-0x000000001BD66000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      1.3MB

                                                                                                                                                                                                                                    • memory/2268-741-0x000001B96D0A0000-0x000001B96D1EF000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      1.3MB

                                                                                                                                                                                                                                    • memory/2268-738-0x000001B96D010000-0x000001B96D032000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      136KB

                                                                                                                                                                                                                                    • memory/2496-1333-0x0000000000400000-0x0000000000671000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      2.4MB

                                                                                                                                                                                                                                    • memory/2496-1180-0x0000000000400000-0x0000000000671000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      2.4MB

                                                                                                                                                                                                                                    • memory/2496-820-0x0000000000400000-0x0000000000671000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      2.4MB

                                                                                                                                                                                                                                    • memory/2496-1084-0x0000000000400000-0x0000000000671000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      2.4MB

                                                                                                                                                                                                                                    • memory/2496-925-0x0000000000400000-0x0000000000671000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      2.4MB

                                                                                                                                                                                                                                    • memory/2496-1596-0x0000000000400000-0x0000000000671000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      2.4MB

                                                                                                                                                                                                                                    • memory/3220-1286-0x0000018F26CC0000-0x0000018F26DC0000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      1024KB

                                                                                                                                                                                                                                    • memory/3220-1269-0x0000018F05020000-0x0000018F05120000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      1024KB

                                                                                                                                                                                                                                    • memory/3220-1288-0x0000018F271E0000-0x0000018F27200000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      128KB

                                                                                                                                                                                                                                    • memory/3220-1302-0x0000018F27E00000-0x0000018F27F00000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      1024KB

                                                                                                                                                                                                                                    • memory/3220-1331-0x0000018F26EA0000-0x0000018F26EC0000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      128KB

                                                                                                                                                                                                                                    • memory/3220-1335-0x0000018F27920000-0x0000018F27940000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      128KB

                                                                                                                                                                                                                                    • memory/3220-1334-0x0000018F27AA0000-0x0000018F27AC0000-memory.dmp

                                                                                                                                                                                                                                      Filesize

                                                                                                                                                                                                                                      128KB