Analysis Overview
SHA256
674ee967fdc01596ad81dc9b25dd33d64effdc2d5fa589308ff5b9d2b75d3214
Threat Level: Known bad
The file Nursultan Nextgen.exe was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Modifies Installed Components in the registry
Modifies AppInit DLL entries
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Enumerates connected drives
Command and Scripting Interpreter: PowerShell
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Enumerates system info in registry
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of SendNotifyMessage
Checks SCSI registry key(s)
Creates scheduled task(s)
Uses Volume Shadow Copy WMI provider
Modifies Internet Explorer settings
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Uses Volume Shadow Copy service COM API
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-30 13:55
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-30 13:55
Reported
2024-05-30 14:00
Platform
win11-20240508-en
Max time kernel
300s
Max time network
305s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Public\\Pictures\\OpenOffice" | C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\Desktop\\Trojan.exe" | C:\Users\Admin\Desktop\Trojan.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\Desktop\Trojan.exe | N/A |
Modifies AppInit DLL entries
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Trojan.exe | N/A |
| N/A | N/A | C:\Windows\Dropbox | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\wbem\WmiApSrv.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\svchost.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\userini = "C:\\Users\\Admin\\Desktop\\Trojan.exe" | C:\Users\Admin\Desktop\Trojan.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Dropbox | C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe | N/A |
| File opened for modification | C:\Windows\Dropbox | C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe | N/A |
| File created | C:\Windows\xdwd.dll | C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe | N/A |
| File opened for modification | C:\Windows\Dropbox | C:\Windows\Dropbox | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 | C:\Windows\explorer.exe | N/A |
Creates scheduled task(s)
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlot = "2" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "1022" | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "13827" | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "1055" | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "8748" | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656} | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "13827" | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "1055" | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "13827" | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0c00000050000000a66a63283d95d211b5d600c04fd918d00b0000007800000030f125b7ef471a10a5f102608c9eebac0e00000090000000 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "1022" | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "8748" | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\PastIconsStream = 1400000005000000010001000200000014000000494c2006020004002c0010001000ffffffff2110ffffffffffffffff424d360000000000000036000000280000001000000040000000010020000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000ff00000060000000000000000000000020000000b0000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff00000060000000200000000000000020000000f00d0d0df09d9d9dffc8c8c8ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff000000603f3f3f66000000ff00000060000000900a0a0af0c0c0c0ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660e2e2e2ff474747eb000000d0000000e04c4c4cee999999ff939393eeb1b1b1f0e0e0e0ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660c8c8c8f7adadadf6858585ff000000ff000000ff737373ff999999ff999999ff999999ff999999ffa0a0a0e8868686ff000000ff000000606d6d6d88aaaaaaebb2b2b2ffb2b2b2ff7a7a7aff000000ff000000ff696969ff999999ff999999ff999999ff999999ff5f5f5fff000000ff0000006045454571b2b2b2ffb2b2b2ffb2b2b2ffa7a7a7ff1b1b1be8000000c0000000b0080808f08f8f8fff999999ff999999ff5f5f5fff000000ff00000060303030607f7f7fff7b7b7bf67e7e7ee2525252e20a0a0af0000000f00000003000000020000000f0101010eb5a5a5af6505050ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff676767ff000000ff000000b000000020000000000000000000000020000000b0000000ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff777777ff080808f0000000d0000000000000000000000000000000000000000000000060000000ff00000060000000602c2c2ceb5f5f5fff5f5f5fff3f3f3fee080808f0000000f0000000300000000000000000000000000000000000000000000000a0000000600000000000000050000000b0000000f0000000ff000000f0000000a000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000ff00000060000000000000000000000020000000b0000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff00000060000000200000000000000020000000f00d0d0df09d9d9dffc8c8c8ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff000000603f3f3f66000000ff00000060000000900a0a0af0c0c0c0ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660e2e2e2ff474747eb000000d0000000e04c4c4cee999999ff939393eeb1b1b1f0e0e0e0ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660c8c8c8f7adadadf6858585ff000000ff000000ff737373ff999999ff999999ff999999ff999999ffa0a0a0e8868686ff000000ff000000606d6d6d88aaaaaaebb2b2b2ffb2b2b2ff7a7a7aff000000ff000000ff696969ff999999ff999999ff999999ff999999ff5f5f5fff000000ff0000006045454571b2b2b2ffb2b2b2ffb2b2b2ffa7a7a7ff1b1b1be8000000c0000000b0080808f08f8f8fff999999ff999999ff5f5f5fff000000ff00000060303030607f7f7fff7b7b7bf67e7e7ee2525252e20a0a0af0000000f00000003000000020000000f0101010eb5a5a5af6505050ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff676767ff000000ff000000b000000020000000000000000000000020000000b0000000ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff777777ff080808f0000000d0000000000000000000000000000000000000000000000060000000ff00000060000000602c2c2ceb5f5f5fff5f5f5fff3f3f3fee080808f0000000f0000000300000000000000000000000000000000000000000000000a0000000600000000000000050000000b0000000f0000000ff000000f0000000a000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000424d3e000000000000003e0000002800000010000000400000000100010000000000000100000000000000000000000000000000000000000000ffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffff0000fff90000fff10000800100000000000000000000000000000000000000000000000000000001000080070000c0070000c80f0000ffff0000ffff0000ffff0000fff90000fff10000800100000000000000000000000000000000000000000000000000000001000080070000c0070000c80f0000ffff0000ffff000000000000000000000000000000000000000000000000010000000800000002000000040000002400000001000000000000000100000000000000 | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "15147" | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000 | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 140000000700000001000100050000001400000050003a005c00480066007200650066005c004e0071007a00760061005c004e006300630051006e0067006e005c005900620070006e0079005c005a00760070006500620066006200730067005c00420061007200510065007600690072005c00420061007200510065007600690072002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f50100000000000000000000e8070500420061007200510065007600690072000a004100620067002000660076007400610072007100200076006100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000a5e7c01448a1da0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff82ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff83ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Dropbox | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe | N/A |
| N/A | N/A | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe"
C:\Windows\SYSTEM32\CMD.exe
"CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Word" /tr "C:\Users\Public\Pictures\OpenOffice" & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Word" /tr "C:\Users\Public\Pictures\OpenOffice"
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Jira Update" /tr "C:\Windows\Dropbox" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo 5 /tn "Jira Update" /tr "C:\Windows\Dropbox" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe"' & exit
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe"'
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe"
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Users\Admin\Desktop\Trojan.exe
"C:\Users\Admin\Desktop\Trojan.exe"
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\Dropbox
C:\Windows\Dropbox
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
C:\Windows\SYSTEM32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tel-form.gl.at.ply.gg | udp |
| US | 147.185.221.20:2421 | tel-form.gl.at.ply.gg | tcp |
| US | 147.185.221.20:2421 | tel-form.gl.at.ply.gg | tcp |
| US | 147.185.221.20:2421 | tel-form.gl.at.ply.gg | tcp |
| NL | 23.62.61.99:443 | www.bing.com | tcp |
| BE | 104.68.66.114:443 | cxcs.microsoft.net | tcp |
| US | 52.111.229.43:443 | tcp | |
| US | 147.185.221.20:2421 | tel-form.gl.at.ply.gg | tcp |
| US | 147.185.221.20:2421 | tel-form.gl.at.ply.gg | tcp |
| US | 147.185.221.20:2421 | tel-form.gl.at.ply.gg | tcp |
| US | 147.185.221.20:2421 | tel-form.gl.at.ply.gg | tcp |
| US | 147.185.221.20:2421 | tel-form.gl.at.ply.gg | tcp |
| NL | 23.62.61.99:443 | www.bing.com | tcp |
| NL | 23.62.61.99:443 | www.bing.com | tcp |
| NL | 23.62.61.99:443 | www.bing.com | tcp |
| NL | 23.62.61.99:443 | www.bing.com | tcp |
Files
memory/1924-0-0x00007FFCF3B93000-0x00007FFCF3B95000-memory.dmp
memory/1924-1-0x0000000000010000-0x000000000008A000-memory.dmp
C:\Windows\xdwd.dll
| MD5 | 16e5a492c9c6ae34c59683be9c51fa31 |
| SHA1 | 97031b41f5c56f371c28ae0d62a2df7d585adaba |
| SHA256 | 35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66 |
| SHA512 | 20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6 |
memory/1924-44-0x00007FFCF3B90000-0x00007FFCF4652000-memory.dmp
memory/1924-120-0x000000001C610000-0x000000001C686000-memory.dmp
memory/1924-121-0x0000000002210000-0x000000000221C000-memory.dmp
memory/1924-122-0x000000001B730000-0x000000001B74E000-memory.dmp
memory/1924-150-0x00007FFCF3B93000-0x00007FFCF3B95000-memory.dmp
memory/1924-259-0x00007FFCF3B90000-0x00007FFCF4652000-memory.dmp
C:\Users\Admin\Desktop\GetClose.eps
| MD5 | 11995c714b2b79d7d96bdefe5dc39954 |
| SHA1 | ab2ddfdb3b802255cd2d1366918b790d49c60168 |
| SHA256 | 4b11b2b324acd139264b2329e7ada7aca2d3f874e9876196b92e3a981850bf15 |
| SHA512 | ba46b6cd47cd1fc0027e0e8c96a224d56799d0c66e7f495a276fda16b7abd54bfd76913c6e2453e228334827f0cdf39cf66796a63e9e4f5d293b0df5e29c0803 |
C:\Users\Admin\Desktop\Microsoft Edge.lnk
| MD5 | dbe9e061ccb1838728e19eb472a45cc6 |
| SHA1 | b304395ac69541054753ac075ff3679f7296f895 |
| SHA256 | f3f21aa9b341aa2291ba0d97029cdc57dd322b27bd965691bbbcd049ae40db64 |
| SHA512 | 951f60c43ba95e1aa8d05536031ee2ed64df609d11051fd103deae62cdee07b29745f23db00960ceacad2982847729446adb18d159ec6cbe781222a81a3e0ff8 |
C:\Users\Public\Desktop\Acrobat Reader DC.lnk
| MD5 | 114f51c8e133382bcdebc919d33c5d81 |
| SHA1 | 27e3d191919dcb5dce0b878667324c8ecdf5062f |
| SHA256 | 07a36364faf4bb26fb46d46ea9f2553b58484fb4ed109c3d3e36ca2ce12b16b9 |
| SHA512 | 782e4e9f7586b1defabc91675aa4ad26ce9ba3a2caaff5d2487c0d382e8582558a31c51ae20f3f4f07b762c9e594ef9d6e2eb2a6c16aa249c73b0cbd857faa61 |
C:\Users\Admin\Desktop\WatchTest.cab
| MD5 | 8f229078323416e1d39175a13cd3668b |
| SHA1 | 5ef306554499245a89f7c3374fcf7778dd7d4880 |
| SHA256 | 44afcdee8a77c039eb00941ac1564936a44bc81f070c609b24af0c81995b5ef4 |
| SHA512 | 51fe5330be4b3100fba6ea1d8dde24de1e4ac77a73a1c8d00628997513e768674454a36fa232ea276f910b18b1f4e620c84a47f4988fbade40e97ccb70b4af48 |
C:\Users\Admin\Desktop\WaitMove.easmx
| MD5 | a1a6b70aa4be09f143eb7a1955161d05 |
| SHA1 | a4bfd0de664a856908d693eecbccdb25419b6115 |
| SHA256 | 76ef9561f4337f1bcde75b30b37086e2a7ef3c92f02dab1c25b1dcd064a80c18 |
| SHA512 | a045a2802d61320d0942d32bdb34cf3478cdc797e2a5432314abf9bc657ad461889d361b33f343a8131e2ecbb2e5e33255318e4dcfbceb10f714f2ebc5864f09 |
C:\Users\Admin\Desktop\UnregisterConfirm.vstx
| MD5 | fdb3545f540cf9c01e77554593183f49 |
| SHA1 | f92409feda62120c58932995e077dbe8517603ec |
| SHA256 | daf5f4f911bf07edc36460d26a364f186245fb8a56e9a2eabd70419d58cd6895 |
| SHA512 | 57c8c7bf01443e4b41f629ce59bc0cdfe284f95383340a07dd5ad44a667a16b37b5cdf7bf45c5c9297813200615ae0a377e8af2dfc1f4ec3d6e986e5aea68eee |
C:\Users\Admin\Desktop\UnprotectSend.MOD
| MD5 | 22a9fb5ea63daf8651734b191f681e07 |
| SHA1 | 0a0ef9bc8ab275cb011011a8ac66d3e13af4dd51 |
| SHA256 | 7abbd30dcbd7ca8b7d0ef1d675d2feb1aa055d672975f862dca163df5f5d9871 |
| SHA512 | ecb40e8e08e1edb6f263e3cea7f0c038a899fba86558dc43e76e55c4faf2e7fc7e58ab0a899c85f91a6bc13599407874f206a30f7fd48888b7e067cf3300c404 |
C:\Users\Admin\Desktop\UndoComplete.potx
| MD5 | f0d35dad01321c20380dd2d3777a223b |
| SHA1 | 78f3e1e2e924665b148b352f30031ce67b7749bd |
| SHA256 | dfaa443085be00c3c5d86ab2203c69a5a9dcb63d2e6486ba786035b2d81a9e3d |
| SHA512 | 890bbaa0e44b0bc23e0c873ca5a9b2988375d876e10cccadb6c27948b0ef579ebad5996cbfc8a7ea47c53fbfa24bfd4717b17bc3be5af5f545fdef397d802666 |
C:\Users\Admin\Desktop\UnblockWatch.pptx
| MD5 | b13ac61595bcd9c170ff6726caa5120e |
| SHA1 | 2f71593425c9a969c07711ad2ef962baf0bac319 |
| SHA256 | df8cabc5f6d6a529632e52b6f8c008352e31be627505b1629d2f7f0ebda10b34 |
| SHA512 | 3113a62fd464e7497cf9a32583de7e639458a85ef5bc267ed1ac5e1105185145c927c5268efab8cbe3486bb131fc56aee8494df7266743ca7e747abf65b623aa |
C:\Users\Admin\Desktop\TracePop.mp2v
| MD5 | 01533025aa92983ffa5dc507b7f3b7e1 |
| SHA1 | a866136c57c24cfb840b17228494be3570682975 |
| SHA256 | 1c1c555854b11c058b84677c104b0bea9335ad964f0df8cd83e75edf29bde5f0 |
| SHA512 | 098212286d877cb3c3141bd7c4d84561c7318e290b2c7907fe40191eb0fc66a21bce4c736a64177ccc1f61a009f4e79a663b592824e0b8bd1548877ecfd62a4a |
C:\Users\Admin\Desktop\SkipDisable.wvx
| MD5 | 580276b3211d0c7ff94687a72e920c8f |
| SHA1 | 218fc5289c91d517448765c7b72504ca4727ff9f |
| SHA256 | 863fba3a91590f20118014c248e541e11afb6cc2f4ca8705d94b986a6376fb6b |
| SHA512 | 1540dc4f13d81617a1eb85d97bc8061482a110cb2a92e2a74717629917d36e200f81c3b95955a1decb404a5cfd47dfc720dc624a846a05a8486d74f056366234 |
C:\Users\Admin\Desktop\SendDisable.wma
| MD5 | eabd228a4585db7420a3b1fadcbea294 |
| SHA1 | ade2ff691f167ed8d9e97b8d8f1bd941dcdda26e |
| SHA256 | d897e38d68ce191bd7dfbe178a0fa624bc5676c2cb53233f4bbc880cf51be979 |
| SHA512 | f2891934035d7b4766eae1a0ae489cde3a5e8576d6cca0c0f30890812aef674b98f868478b245ce3b60b9ace61895ef8ce71d04c6f9700439ca399dbf795b28a |
C:\Users\Admin\Desktop\ResumeExpand.hta
| MD5 | 3e1a70bcb519441f0e3d75960d6b9198 |
| SHA1 | d2c195bd9f86c894b3f043735982a60edb3c282b |
| SHA256 | 2776f631d94da0f5f799ff1fffc5fe430726eb2bf7b14c56c1c6134382b35c4b |
| SHA512 | 2d8c8a43d51e54ef62610ad98f2df05c90ae6cc54a215d8d14e64987fcfd6d912b1ab9e2fa9ffafd1fd69d62268bcdbfb903d3c640bb83ee1db598a5749b07ea |
C:\Users\Admin\Desktop\PushCompare.emf
| MD5 | b26c16377111ab71b7e96ec4c3998c7e |
| SHA1 | 3c12f809fb39c880756f361b0199ea14ac87d30c |
| SHA256 | 30e8e302a0fb63755b1c8d8c61ed0579b73a4d0398ebf1cd933c9cb00616fc60 |
| SHA512 | e45aaf78b7cba21a9282564f9a722cd2dfbce52991a8bdf0dbce21a644eefd693c436651299d639476472013036108eee41866ac6ac00e1659607a16a62e07b1 |
C:\Users\Admin\Desktop\InstallSwitch.hta
| MD5 | 8bacaee4387e7e47d87fb0d54497f1d7 |
| SHA1 | df0be17ddc6f1e528546cfbbed903426d5d99558 |
| SHA256 | 24b372fb5191a33432378d520c855d8f1452c85571f3e2421c6c627eee613178 |
| SHA512 | cc79de918cb323834ad9cfd3dd759af472002ce0fcd9d0ff3074e234fcce5b11fd278e8ae95b1f3563e482f5f17d2e28bc73a7e6c1a369c33b4e90bb6da03458 |
C:\Users\Admin\Desktop\InitializeRedo.cr2
| MD5 | 1d26b70686532658fcbbf4c1b447969f |
| SHA1 | 01065f76b72acae0ef611a4a68c9f2fdb1f1a430 |
| SHA256 | 71c626b6e4a4b142ab497ccd38705332cf40ab2b8a0252312ecd86868e6a5644 |
| SHA512 | 34128a96f36be2f8c994948a5d5b7190872c131554450ffbc3447d4ed155493e0fe070d294e24e92aebf7906022d20a9aa9a0cdc0bf6892cec6b31f183465629 |
C:\Users\Admin\Desktop\GroupSend.mht
| MD5 | 10012a4b16d530d3e4de5573b36ededb |
| SHA1 | 0e6ff57a2061c1a76f40d01936ccb3cfb38fca5e |
| SHA256 | 90ecf9102118aa8fd8492076e5d15daffecedf2c54bac4313df206fd77881edd |
| SHA512 | f899c3b2aab4b07172ed49778f5e444e377ec173906374fde226cf2cf3ca71d988fe2e88e8bc73fe0b41d5e9094f6df7f43944d735a096da6f228405568d4fea |
C:\Users\Admin\Desktop\GrantInstall.m4a
| MD5 | 68c033be62acaceee0cc9257ff9b262b |
| SHA1 | 2e2debcf187a2333ec1e1bb659749a8975e66643 |
| SHA256 | ec85ebef573b20e217475bb7beb915716c6b14dc97f8ce85128d1729d1005a0a |
| SHA512 | 3c0f6791690fc52ea3787d0c6c8f1fa90ab4fdfed52f3add92baa04c6b747c4dee6d198aaaef12de49e6e27debcab6c65b0bc955367af980c555547007d4e749 |
C:\Users\Admin\Desktop\FormatMerge.xml
| MD5 | fc11c3f8645738a24e5be8277b251fea |
| SHA1 | 287e28ec2b94d753360d47d76419bbfe3f18336a |
| SHA256 | 51c2b8e5380629226e3392d2d3678c1575d87744ca23fd99523437e7146c9ce6 |
| SHA512 | 541dbee14b46a8d21eba071b509e8c52707e88014c1f2fafd38d46731bbd28d12994e33964cc96aa6bf9f5638050876d10bb332da9bce11a89b0e7de201b4c94 |
C:\Users\Admin\Desktop\EnterWait.rle
| MD5 | f2903ad311f51cb372d27ff679de48cf |
| SHA1 | 2b55c95c89448b1bb0403580ffe502c7f5efaa98 |
| SHA256 | df2e062700bc26ec2419c506ba81d1c57d57602e5451dee96a45015b9d2be3c6 |
| SHA512 | ad87355e576c64562a49fb0d1d5bd264352cf3d0267c81a885acd890270568080704dfe4d9941082d7c986f91b363131bb44f072d10282045eea726669aa2d4f |
C:\Users\Admin\Desktop\DisconnectStep.dot
| MD5 | 7532b5a89d8e8425c152832a2c4648f8 |
| SHA1 | 577edddfcc1a134f68652f4fd57587a3a3cddeb9 |
| SHA256 | bef229cba8f70bef94e0bf55d778efb70e01b5f3a18a289300e6f92540d1e947 |
| SHA512 | 4f2feecef28d315818fb4d3cab932abef9a4860f0141555a219fdade479180afe4594d99a43881935e6b5fcd05d9d6d2ffcc1540f927cd4a746d408f855b9885 |
C:\Users\Admin\Desktop\ConvertFromSplit.m1v
| MD5 | 5f8f01b0322839c4b264de42d5ea0478 |
| SHA1 | 76657ca936420b03a21854b51c008199e245d7ad |
| SHA256 | 489b9268cfa0addbbf54898ceb3b74a7a6c92e04a254fd01e136a53eff911b2b |
| SHA512 | b8d9044466efbafee1b80674445a222f85df7229f05f520f08bef7669f6496f54816c1e6de41f160b5206ef8c182799b37472dc400b987980b97410ba1248767 |
C:\Users\Admin\Desktop\ConvertFromCheckpoint.3gp2
| MD5 | 4f1a470fa86ad9c1a84c8ddb4329d76a |
| SHA1 | f1b57d3ef553559dc97d067749abd00718f73df5 |
| SHA256 | da86928c95c6a2a50524bb113270bb92d34be06f0e959a0cb0437bd8412195a2 |
| SHA512 | e86f1e96819e7c0f1b5f5a2e8adcfad0b99a8661c03a17b273b5eac4d50279d835735d91a35838b805d916d9d38734045c750b299874bb3e681e03ff8e320a0a |
C:\Users\Admin\Desktop\CompareComplete.vdx
| MD5 | f88fcd1e6ca9766fe6c3b5bd65fea9cd |
| SHA1 | 826a34de80198e83fdda3789bf2704f4c41191a1 |
| SHA256 | ef7d8e03dba23a11040a02caad54a4933ff9ba367479dfc42c1fa9b030e0f9c0 |
| SHA512 | 46684145d45db73c1958f0c3e75339a6ae56c95cb63c34549c60f704bfa7ca729a8aefa80a34785eb64810ace8987ae41a0a8190fceec17a4f287c3d5f2e14c8 |
C:\Users\Public\Desktop\Google Chrome.lnk
| MD5 | 2eb702965aeabb66a1ce760bffbe5d75 |
| SHA1 | 356e3395cb57bd0999ad880b75f4b090f7ed5280 |
| SHA256 | c88861cef0572764300091ab10e857f28e603cea679638c8c919145006eae871 |
| SHA512 | 09bc89f5910dc7c324948d880d60d7b87523bae73a628881837afc5492705f56e4c7214c22519a41080b50d7d64e3ced585072fbbfbb7adf968ee20861df41ed |
C:\Users\Public\Desktop\Firefox.lnk
| MD5 | d453202d8232b602218441b59b945265 |
| SHA1 | 11c6a47fd44c9ae39fee7ff428cf4ee9b92337a9 |
| SHA256 | 340569335d39de8184e9ea87bd3888d322cfaca127522b407f0279a4441c7147 |
| SHA512 | 701ac99e1406d39ec55dadbc201b99301e949dcb3ef7f26228d96ae3d14c759135056a42c68fe4b527e279aa23517555b037ee19ed56e4246981ff37cc530891 |
C:\Users\Public\Desktop\VLC media player.lnk
| MD5 | 55bc4c4831db98457a0134293f270124 |
| SHA1 | 651f0e86ada21e2f95f919fd0364099d4ca34f4e |
| SHA256 | 894e3cea04571f7cb39d18e72293dc5908363ba183b79d2a0873688decb0256b |
| SHA512 | 91c64fe850c807172ab44aa5b08f0b3073e1d7782f3464e9f24e4818098c609991c7192243eac99f243a6d0209ad6d25e04a2a4bb7bdab585ee5d1ad20d25943 |
C:\Users\Admin\Desktop\SendUninstall.lock
| MD5 | 8751bff9f7adeea1dd9f3a8e23a70df9 |
| SHA1 | d98833352f3ace86f8c537b2fa9ef25e5e59afe7 |
| SHA256 | 6a34f0df668cdcdf12bf6ffcf9b6f95dc7178d5278b6ded0249b982eb387f9a7 |
| SHA512 | 06fa2c294caf641ffe558598825f8482145d8a63a176fe88c3dc109838ed6fe3b89e638066d98105f2cc741afcb9cf02f437b27e8e9d9474c4f601ed39eca7b1 |
C:\Users\Admin\Desktop\ResumeFormat.rtf
| MD5 | 982ffcac235aec27f7a66e99b78bc3b1 |
| SHA1 | 18ff4d2c10b29d666e4fceb7633babac8b81f499 |
| SHA256 | 9a54de0b697826e3ac6d66b29d560abaf132ef4e327153c94be625e43a111b5f |
| SHA512 | bc1fb2b8970032ebe486d4bff9bb2488c5c170dd0cde9cb9ff6f792d86730125561287fb67528cb645e340f7f297be53cc985612ad27d22c8524814eaf38fde9 |
C:\Users\Admin\Desktop\StartRead.mp4v
| MD5 | 99c96d03aae8a1aa02f49ec96dfceebd |
| SHA1 | 740511fcc4b63a00ad4306f4f329d3fc2419e306 |
| SHA256 | 632be0df75214492c4da4864752586210f46c31124fc4b1cecdb78a26e0d94cf |
| SHA512 | 0c5ce9f0f1a2dc334d903201e99a622661ab8b809bb5b489291b769779191ed6dfb81db333151092136e1023089f1ecf99101a1f166b83ce31c9ac25c8ca33f2 |
C:\Users\Admin\Desktop\ConfirmRequest.3gp2
| MD5 | d615655c1da145b5c06ec8144d00c818 |
| SHA1 | 2bc3a790e7b2570f92cd6315dc4fb28f548d1766 |
| SHA256 | ef9d773870f22b7a578fd1bd4c822558c7a87cfed4147b66298a21f1996a2584 |
| SHA512 | d5cb20655683e910338b686ef37a480d220038a8eeb9d9fe4117602926d52c56949ad766a92cea5b74ef7b1876a8ee3d43132c9e2de0f6ccacb2c0c6d4ed3852 |
C:\Users\Admin\Desktop\PopPush.lnk
| MD5 | 9b777d8bc0888e7d2f932b8136b5b341 |
| SHA1 | b693cc7d25b1824f2afdb6a8464919e82fdd917b |
| SHA256 | 710df260a01a3d1c77ac266dd37ea2d0841dae4592bb4941d1ab1e56432db630 |
| SHA512 | d973fdea5cdde00000ccb3b771fff3c4e0a7005c2fc0f8e4c9a0c5dc1b24ecbe9101906e6a7a813cd5344f3ebd305500810d314bad8ddf44134e0845fd907bff |
C:\Users\Admin\Desktop\LimitShow.potm
| MD5 | 89fb9fdfceba969c7f5c316ea1de2029 |
| SHA1 | 90249c12deaca4b9b565bb746a91eedfa7e03ec3 |
| SHA256 | 0a6552ca1ff7e7383df6fb4dc2b6663be74704f961806b73c8788e36a5d87f5c |
| SHA512 | efb3e88044e88f34c270b2c9068249db9b7f9ab44264cf4eb037cbb49bce6937541846cddb0aaa1005c5628cd10cf818843811ef56a236525e1826d30586c1f1 |
memory/1924-728-0x0000000002220000-0x000000000222C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v0nctzun.xhg.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2268-738-0x000001B96D010000-0x000001B96D032000-memory.dmp
memory/2268-741-0x000001B96D0A0000-0x000001B96D1EF000-memory.dmp
memory/2496-820-0x0000000000400000-0x0000000000671000-memory.dmp
memory/2496-925-0x0000000000400000-0x0000000000671000-memory.dmp
memory/1924-1005-0x000000001BC20000-0x000000001BD66000-memory.dmp
memory/2496-1084-0x0000000000400000-0x0000000000671000-memory.dmp
C:\Users\Admin\Desktop\Trojan.exe
| MD5 | 15da9bd223289ddbd72b041017b299f1 |
| SHA1 | 98bd69a39508547ef9226c4bd4ace68c57b0f597 |
| SHA256 | f8650c9bdfbad7ea71c244b458e1867c45c0c077c4f352666dd9b4cf588299af |
| SHA512 | 493052b1600edc457799f44563ff192097229ae425fc0d1bba6d854fe77b14c6debe460cb48d583fcbc80e94e9c7d3b077c4693f993ef6b7bef5ffa70e056a60 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
| MD5 | aaf0727cf0ee91c7458cfef415781516 |
| SHA1 | 8e32852edcc8535e40f7c7f3053be6ca33a43a05 |
| SHA256 | 5b2ee6599886cf76f56ba490ed095d99ee6f7581366b097107e2901c260ca7c9 |
| SHA512 | 1af368e734db987b9895bae27eb57f99b2e39c111b8bea1f181f452a5f2103147e5cdc03b01d683b098085a2158b3fc85e278993819caca1bd343c4e6a6882e1 |
memory/2496-1180-0x0000000000400000-0x0000000000671000-memory.dmp
memory/1676-1233-0x0000000000400000-0x0000000000474000-memory.dmp
memory/3220-1286-0x0000018F26CC0000-0x0000018F26DC0000-memory.dmp
memory/3220-1269-0x0000018F05020000-0x0000018F05120000-memory.dmp
memory/3220-1288-0x0000018F271E0000-0x0000018F27200000-memory.dmp
memory/3220-1302-0x0000018F27E00000-0x0000018F27F00000-memory.dmp
memory/3220-1331-0x0000018F26EA0000-0x0000018F26EC0000-memory.dmp
memory/2496-1333-0x0000000000400000-0x0000000000671000-memory.dmp
memory/3220-1335-0x0000018F27920000-0x0000018F27940000-memory.dmp
memory/3220-1334-0x0000018F27AA0000-0x0000018F27AC0000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\H3PMCBH8\www.bing[1].xml
| MD5 | bc54c11989d696eef9c2e76ecd8ff0f8 |
| SHA1 | 261cadaef9db945e2b20b88e49b2f9654d529fb1 |
| SHA256 | 1300bffd5651af8acf6d0b8b6b8aa6b12e692c628b17e841ee8c047fae188cc9 |
| SHA512 | bc4e0cf6857069c8ff683671772f59c97daf560217f1adc20a8b62144d5ebbdf44d58150634468e5633fa327b0475b09ddcbcba729334b7b7e2e7f31993dec7c |
memory/2496-1596-0x0000000000400000-0x0000000000671000-memory.dmp