Malware Analysis Report

2025-04-14 00:59

Sample ID 240530-q783wabh95
Target Nursultan Nextgen.exe
SHA256 674ee967fdc01596ad81dc9b25dd33d64effdc2d5fa589308ff5b9d2b75d3214
Tags
execution persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

674ee967fdc01596ad81dc9b25dd33d64effdc2d5fa589308ff5b9d2b75d3214

Threat Level: Known bad

The file Nursultan Nextgen.exe was found to be: Known bad.

Malicious Activity Summary

execution persistence

Modifies WinLogon for persistence

Modifies Installed Components in the registry

Modifies AppInit DLL entries

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Enumerates connected drives

Command and Scripting Interpreter: PowerShell

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of SendNotifyMessage

Checks SCSI registry key(s)

Creates scheduled task(s)

Uses Volume Shadow Copy WMI provider

Modifies Internet Explorer settings

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Uses Volume Shadow Copy service COM API

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-30 13:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-30 13:55

Reported

2024-05-30 14:00

Platform

win11-20240508-en

Max time kernel

300s

Max time network

305s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Public\\Pictures\\OpenOffice" C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\Desktop\\Trojan.exe" C:\Users\Admin\Desktop\Trojan.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\Desktop\Trojan.exe N/A

Modifies AppInit DLL entries

persistence

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe N/A
N/A N/A C:\Users\Admin\Desktop\Trojan.exe N/A
N/A N/A C:\Windows\Dropbox N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\wbem\WmiApSrv.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\svchost.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\userini = "C:\\Users\\Admin\\Desktop\\Trojan.exe" C:\Users\Admin\Desktop\Trojan.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Dropbox C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe N/A
File opened for modification C:\Windows\Dropbox C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe N/A
File created C:\Windows\xdwd.dll C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe N/A
File opened for modification C:\Windows\Dropbox C:\Windows\Dropbox N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlot = "2" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "1022" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "13827" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "1055" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "8748" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656} C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "13827" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "1055" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "13827" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0c00000050000000a66a63283d95d211b5d600c04fd918d00b0000007800000030f125b7ef471a10a5f102608c9eebac0e00000090000000 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "1022" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\www.bing.com\ = "8748" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\PastIconsStream = 1400000005000000010001000200000014000000494c2006020004002c0010001000ffffffff2110ffffffffffffffff424d360000000000000036000000280000001000000040000000010020000000000000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000ff00000060000000000000000000000020000000b0000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff00000060000000200000000000000020000000f00d0d0df09d9d9dffc8c8c8ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff000000603f3f3f66000000ff00000060000000900a0a0af0c0c0c0ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660e2e2e2ff474747eb000000d0000000e04c4c4cee999999ff939393eeb1b1b1f0e0e0e0ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660c8c8c8f7adadadf6858585ff000000ff000000ff737373ff999999ff999999ff999999ff999999ffa0a0a0e8868686ff000000ff000000606d6d6d88aaaaaaebb2b2b2ffb2b2b2ff7a7a7aff000000ff000000ff696969ff999999ff999999ff999999ff999999ff5f5f5fff000000ff0000006045454571b2b2b2ffb2b2b2ffb2b2b2ffa7a7a7ff1b1b1be8000000c0000000b0080808f08f8f8fff999999ff999999ff5f5f5fff000000ff00000060303030607f7f7fff7b7b7bf67e7e7ee2525252e20a0a0af0000000f00000003000000020000000f0101010eb5a5a5af6505050ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff676767ff000000ff000000b000000020000000000000000000000020000000b0000000ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff777777ff080808f0000000d0000000000000000000000000000000000000000000000060000000ff00000060000000602c2c2ceb5f5f5fff5f5f5fff3f3f3fee080808f0000000f0000000300000000000000000000000000000000000000000000000a0000000600000000000000050000000b0000000f0000000ff000000f0000000a000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000060000000ff00000060000000000000000000000020000000b0000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff000000ff00000060000000200000000000000020000000f00d0d0df09d9d9dffc8c8c8ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff000000603f3f3f66000000ff00000060000000900a0a0af0c0c0c0ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660e2e2e2ff474747eb000000d0000000e04c4c4cee999999ff939393eeb1b1b1f0e0e0e0ffe5e5e5ffe5e5e5ff8f8f8fff000000ff0000006056565660c8c8c8f7adadadf6858585ff000000ff000000ff737373ff999999ff999999ff999999ff999999ffa0a0a0e8868686ff000000ff000000606d6d6d88aaaaaaebb2b2b2ffb2b2b2ff7a7a7aff000000ff000000ff696969ff999999ff999999ff999999ff999999ff5f5f5fff000000ff0000006045454571b2b2b2ffb2b2b2ffb2b2b2ffa7a7a7ff1b1b1be8000000c0000000b0080808f08f8f8fff999999ff999999ff5f5f5fff000000ff00000060303030607f7f7fff7b7b7bf67e7e7ee2525252e20a0a0af0000000f00000003000000020000000f0101010eb5a5a5af6505050ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff676767ff000000ff000000b000000020000000000000000000000020000000b0000000ff000000ff00000060303030607f7f7fff7f7f7fff7f7f7fff777777ff080808f0000000d0000000000000000000000000000000000000000000000060000000ff00000060000000602c2c2ceb5f5f5fff5f5f5fff3f3f3fee080808f0000000f0000000300000000000000000000000000000000000000000000000a0000000600000000000000050000000b0000000f0000000ff000000f0000000a000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000424d3e000000000000003e0000002800000010000000400000000100010000000000000100000000000000000000000000000000000000000000ffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffff0000fff90000fff10000800100000000000000000000000000000000000000000000000000000001000080070000c0070000c80f0000ffff0000ffff0000ffff0000fff90000fff10000800100000000000000000000000000000000000000000000000000000001000080070000c0070000c80f0000ffff0000ffff000000000000000000000000000000000000000000000000010000000800000002000000040000002400000001000000000000000100000000000000 C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\bing.com\Total = "15147" C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 140000000700000001000100050000001400000050003a005c00480066007200650066005c004e0071007a00760061005c004e006300630051006e0067006e005c005900620070006e0079005c005a00760070006500620066006200730067005c00420061007200510065007600690072005c00420061007200510065007600690072002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f50100000000000000000000e8070500420061007200510065007600690072000a004100620067002000660076007400610072007100200076006100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000000000000000000000000000000000000000000000000000000000000a5e7c01448a1da0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff82ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff83ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe N/A
N/A N/A C:\Windows\system32\wbem\WmiApSrv.exe N/A
N/A N/A C:\Windows\system32\wbem\WmiApSrv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Dropbox N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\Trojan.exe N/A
N/A N/A C:\Users\Admin\Desktop\Trojan.exe N/A
N/A N/A C:\Users\Admin\Desktop\Trojan.exe N/A
N/A N/A C:\Users\Admin\Desktop\Trojan.exe N/A
N/A N/A C:\Users\Admin\Desktop\Trojan.exe N/A
N/A N/A C:\Users\Admin\Desktop\Trojan.exe N/A
N/A N/A C:\Users\Admin\Desktop\Trojan.exe N/A
N/A N/A C:\Users\Admin\Desktop\Trojan.exe N/A
N/A N/A C:\Users\Admin\Desktop\Trojan.exe N/A
N/A N/A C:\Users\Admin\Desktop\Trojan.exe N/A
N/A N/A C:\Users\Admin\Desktop\Trojan.exe N/A
N/A N/A C:\Users\Admin\Desktop\Trojan.exe N/A
N/A N/A C:\Users\Admin\Desktop\Trojan.exe N/A
N/A N/A C:\Users\Admin\Desktop\Trojan.exe N/A
N/A N/A C:\Users\Admin\Desktop\Trojan.exe N/A
N/A N/A C:\Users\Admin\Desktop\Trojan.exe N/A
N/A N/A C:\Users\Admin\Desktop\Trojan.exe N/A
N/A N/A C:\Users\Admin\Desktop\Trojan.exe N/A
N/A N/A C:\Users\Admin\Desktop\Trojan.exe N/A
N/A N/A C:\Users\Admin\Desktop\Trojan.exe N/A
N/A N/A C:\Users\Admin\Desktop\Trojan.exe N/A
N/A N/A C:\Users\Admin\Desktop\Trojan.exe N/A
N/A N/A C:\Users\Admin\Desktop\Trojan.exe N/A
N/A N/A C:\Users\Admin\Desktop\Trojan.exe N/A
N/A N/A C:\Users\Admin\Desktop\Trojan.exe N/A
N/A N/A C:\Users\Admin\Desktop\Trojan.exe N/A
N/A N/A C:\Users\Admin\Desktop\Trojan.exe N/A
N/A N/A C:\Users\Admin\Desktop\Trojan.exe N/A
N/A N/A C:\Users\Admin\Desktop\Trojan.exe N/A
N/A N/A C:\Users\Admin\Desktop\Trojan.exe N/A
N/A N/A C:\Users\Admin\Desktop\Trojan.exe N/A
N/A N/A C:\Users\Admin\Desktop\Trojan.exe N/A
N/A N/A C:\Users\Admin\Desktop\Trojan.exe N/A
N/A N/A C:\Users\Admin\Desktop\Trojan.exe N/A
N/A N/A C:\Users\Admin\Desktop\Trojan.exe N/A
N/A N/A C:\Users\Admin\Desktop\Trojan.exe N/A
N/A N/A C:\Users\Admin\Desktop\Trojan.exe N/A
N/A N/A C:\Users\Admin\Desktop\Trojan.exe N/A
N/A N/A C:\Users\Admin\Desktop\Trojan.exe N/A
N/A N/A C:\Users\Admin\Desktop\Trojan.exe N/A
N/A N/A C:\Users\Admin\Desktop\Trojan.exe N/A
N/A N/A C:\Users\Admin\Desktop\Trojan.exe N/A
N/A N/A C:\Users\Admin\Desktop\Trojan.exe N/A
N/A N/A C:\Users\Admin\Desktop\Trojan.exe N/A
N/A N/A C:\Users\Admin\Desktop\Trojan.exe N/A
N/A N/A C:\Users\Admin\Desktop\Trojan.exe N/A
N/A N/A C:\Users\Admin\Desktop\Trojan.exe N/A
N/A N/A C:\Users\Admin\Desktop\Trojan.exe N/A
N/A N/A C:\Users\Admin\Desktop\Trojan.exe N/A
N/A N/A C:\Users\Admin\Desktop\Trojan.exe N/A
N/A N/A C:\Users\Admin\Desktop\Trojan.exe N/A
N/A N/A C:\Users\Admin\Desktop\Trojan.exe N/A
N/A N/A C:\Users\Admin\Desktop\Trojan.exe N/A
N/A N/A C:\Users\Admin\Desktop\Trojan.exe N/A
N/A N/A C:\Users\Admin\Desktop\Trojan.exe N/A
N/A N/A C:\Users\Admin\Desktop\Trojan.exe N/A
N/A N/A C:\Users\Admin\Desktop\Trojan.exe N/A
N/A N/A C:\Users\Admin\Desktop\Trojan.exe N/A
N/A N/A C:\Users\Admin\Desktop\Trojan.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1924 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe C:\Windows\SYSTEM32\CMD.exe
PID 1924 wrote to memory of 4192 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe C:\Windows\SYSTEM32\CMD.exe
PID 4192 wrote to memory of 3212 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 4192 wrote to memory of 3212 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 1924 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe C:\Windows\SYSTEM32\CMD.exe
PID 1924 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe C:\Windows\SYSTEM32\CMD.exe
PID 2808 wrote to memory of 1192 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 2808 wrote to memory of 1192 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 1924 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe C:\Windows\SYSTEM32\CMD.exe
PID 1924 wrote to memory of 2164 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe C:\Windows\SYSTEM32\CMD.exe
PID 2164 wrote to memory of 540 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 2164 wrote to memory of 540 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 1924 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe C:\Windows\SYSTEM32\CMD.exe
PID 1924 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe C:\Windows\SYSTEM32\CMD.exe
PID 4160 wrote to memory of 3596 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 4160 wrote to memory of 3596 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 1924 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe C:\Windows\SYSTEM32\CMD.exe
PID 1924 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe C:\Windows\SYSTEM32\CMD.exe
PID 2180 wrote to memory of 1536 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 2180 wrote to memory of 1536 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 1924 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe C:\Windows\SYSTEM32\CMD.exe
PID 1924 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe C:\Windows\SYSTEM32\CMD.exe
PID 2396 wrote to memory of 3900 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 2396 wrote to memory of 3900 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 1924 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe C:\Windows\SYSTEM32\CMD.exe
PID 1924 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe C:\Windows\SYSTEM32\CMD.exe
PID 4424 wrote to memory of 4840 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 4424 wrote to memory of 4840 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 1924 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe C:\Windows\SYSTEM32\CMD.exe
PID 1924 wrote to memory of 3536 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe C:\Windows\SYSTEM32\CMD.exe
PID 3536 wrote to memory of 4064 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 3536 wrote to memory of 4064 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 1924 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe C:\Windows\SYSTEM32\CMD.exe
PID 1924 wrote to memory of 3540 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe C:\Windows\SYSTEM32\CMD.exe
PID 3540 wrote to memory of 1148 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 3540 wrote to memory of 1148 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 1924 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe C:\Windows\SYSTEM32\CMD.exe
PID 1924 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe C:\Windows\SYSTEM32\CMD.exe
PID 1488 wrote to memory of 4252 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 1488 wrote to memory of 4252 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 1924 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe C:\Windows\SYSTEM32\CMD.exe
PID 1924 wrote to memory of 3436 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe C:\Windows\SYSTEM32\CMD.exe
PID 3436 wrote to memory of 2972 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 3436 wrote to memory of 2972 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 1924 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe C:\Windows\SYSTEM32\CMD.exe
PID 1924 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe C:\Windows\SYSTEM32\CMD.exe
PID 3836 wrote to memory of 4756 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 3836 wrote to memory of 4756 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 1924 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe C:\Windows\SYSTEM32\CMD.exe
PID 1924 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe C:\Windows\SYSTEM32\CMD.exe
PID 2732 wrote to memory of 1132 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 2732 wrote to memory of 1132 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 1924 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe C:\Windows\SYSTEM32\CMD.exe
PID 1924 wrote to memory of 1460 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe C:\Windows\SYSTEM32\CMD.exe
PID 1460 wrote to memory of 4840 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 1460 wrote to memory of 4840 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 1924 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe C:\Windows\SYSTEM32\CMD.exe
PID 1924 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe C:\Windows\SYSTEM32\CMD.exe
PID 2084 wrote to memory of 2324 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 2084 wrote to memory of 2324 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 1924 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe C:\Windows\SYSTEM32\CMD.exe
PID 1924 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe C:\Windows\SYSTEM32\CMD.exe
PID 536 wrote to memory of 3856 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 536 wrote to memory of 3856 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe

"C:\Users\Admin\AppData\Local\Temp\Nursultan Nextgen.exe"

C:\Windows\SYSTEM32\CMD.exe

"CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Word" /tr "C:\Users\Public\Pictures\OpenOffice" & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Word" /tr "C:\Users\Public\Pictures\OpenOffice"

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Jira Update" /tr "C:\Windows\Dropbox" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo 5 /tn "Jira Update" /tr "C:\Windows\Dropbox" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe"' & exit

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe"'

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\asvcucxh.2vi.exe"

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Users\Admin\Desktop\Trojan.exe

"C:\Users\Admin\Desktop\Trojan.exe"

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\Dropbox

C:\Windows\Dropbox

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "CCleaner" /tr "C:\Users\Public\Pictures\OpenOffice" /RL HIGHEST

Network

Country Destination Domain Proto
US 8.8.8.8:53 tel-form.gl.at.ply.gg udp
US 147.185.221.20:2421 tel-form.gl.at.ply.gg tcp
US 147.185.221.20:2421 tel-form.gl.at.ply.gg tcp
US 147.185.221.20:2421 tel-form.gl.at.ply.gg tcp
NL 23.62.61.99:443 www.bing.com tcp
BE 104.68.66.114:443 cxcs.microsoft.net tcp
US 52.111.229.43:443 tcp
US 147.185.221.20:2421 tel-form.gl.at.ply.gg tcp
US 147.185.221.20:2421 tel-form.gl.at.ply.gg tcp
US 147.185.221.20:2421 tel-form.gl.at.ply.gg tcp
US 147.185.221.20:2421 tel-form.gl.at.ply.gg tcp
US 147.185.221.20:2421 tel-form.gl.at.ply.gg tcp
NL 23.62.61.99:443 www.bing.com tcp
NL 23.62.61.99:443 www.bing.com tcp
NL 23.62.61.99:443 www.bing.com tcp
NL 23.62.61.99:443 www.bing.com tcp

Files

memory/1924-0-0x00007FFCF3B93000-0x00007FFCF3B95000-memory.dmp

memory/1924-1-0x0000000000010000-0x000000000008A000-memory.dmp

C:\Windows\xdwd.dll

MD5 16e5a492c9c6ae34c59683be9c51fa31
SHA1 97031b41f5c56f371c28ae0d62a2df7d585adaba
SHA256 35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66
SHA512 20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

memory/1924-44-0x00007FFCF3B90000-0x00007FFCF4652000-memory.dmp

memory/1924-120-0x000000001C610000-0x000000001C686000-memory.dmp

memory/1924-121-0x0000000002210000-0x000000000221C000-memory.dmp

memory/1924-122-0x000000001B730000-0x000000001B74E000-memory.dmp

memory/1924-150-0x00007FFCF3B93000-0x00007FFCF3B95000-memory.dmp

memory/1924-259-0x00007FFCF3B90000-0x00007FFCF4652000-memory.dmp

C:\Users\Admin\Desktop\GetClose.eps

MD5 11995c714b2b79d7d96bdefe5dc39954
SHA1 ab2ddfdb3b802255cd2d1366918b790d49c60168
SHA256 4b11b2b324acd139264b2329e7ada7aca2d3f874e9876196b92e3a981850bf15
SHA512 ba46b6cd47cd1fc0027e0e8c96a224d56799d0c66e7f495a276fda16b7abd54bfd76913c6e2453e228334827f0cdf39cf66796a63e9e4f5d293b0df5e29c0803

C:\Users\Admin\Desktop\Microsoft Edge.lnk

MD5 dbe9e061ccb1838728e19eb472a45cc6
SHA1 b304395ac69541054753ac075ff3679f7296f895
SHA256 f3f21aa9b341aa2291ba0d97029cdc57dd322b27bd965691bbbcd049ae40db64
SHA512 951f60c43ba95e1aa8d05536031ee2ed64df609d11051fd103deae62cdee07b29745f23db00960ceacad2982847729446adb18d159ec6cbe781222a81a3e0ff8

C:\Users\Public\Desktop\Acrobat Reader DC.lnk

MD5 114f51c8e133382bcdebc919d33c5d81
SHA1 27e3d191919dcb5dce0b878667324c8ecdf5062f
SHA256 07a36364faf4bb26fb46d46ea9f2553b58484fb4ed109c3d3e36ca2ce12b16b9
SHA512 782e4e9f7586b1defabc91675aa4ad26ce9ba3a2caaff5d2487c0d382e8582558a31c51ae20f3f4f07b762c9e594ef9d6e2eb2a6c16aa249c73b0cbd857faa61

C:\Users\Admin\Desktop\WatchTest.cab

MD5 8f229078323416e1d39175a13cd3668b
SHA1 5ef306554499245a89f7c3374fcf7778dd7d4880
SHA256 44afcdee8a77c039eb00941ac1564936a44bc81f070c609b24af0c81995b5ef4
SHA512 51fe5330be4b3100fba6ea1d8dde24de1e4ac77a73a1c8d00628997513e768674454a36fa232ea276f910b18b1f4e620c84a47f4988fbade40e97ccb70b4af48

C:\Users\Admin\Desktop\WaitMove.easmx

MD5 a1a6b70aa4be09f143eb7a1955161d05
SHA1 a4bfd0de664a856908d693eecbccdb25419b6115
SHA256 76ef9561f4337f1bcde75b30b37086e2a7ef3c92f02dab1c25b1dcd064a80c18
SHA512 a045a2802d61320d0942d32bdb34cf3478cdc797e2a5432314abf9bc657ad461889d361b33f343a8131e2ecbb2e5e33255318e4dcfbceb10f714f2ebc5864f09

C:\Users\Admin\Desktop\UnregisterConfirm.vstx

MD5 fdb3545f540cf9c01e77554593183f49
SHA1 f92409feda62120c58932995e077dbe8517603ec
SHA256 daf5f4f911bf07edc36460d26a364f186245fb8a56e9a2eabd70419d58cd6895
SHA512 57c8c7bf01443e4b41f629ce59bc0cdfe284f95383340a07dd5ad44a667a16b37b5cdf7bf45c5c9297813200615ae0a377e8af2dfc1f4ec3d6e986e5aea68eee

C:\Users\Admin\Desktop\UnprotectSend.MOD

MD5 22a9fb5ea63daf8651734b191f681e07
SHA1 0a0ef9bc8ab275cb011011a8ac66d3e13af4dd51
SHA256 7abbd30dcbd7ca8b7d0ef1d675d2feb1aa055d672975f862dca163df5f5d9871
SHA512 ecb40e8e08e1edb6f263e3cea7f0c038a899fba86558dc43e76e55c4faf2e7fc7e58ab0a899c85f91a6bc13599407874f206a30f7fd48888b7e067cf3300c404

C:\Users\Admin\Desktop\UndoComplete.potx

MD5 f0d35dad01321c20380dd2d3777a223b
SHA1 78f3e1e2e924665b148b352f30031ce67b7749bd
SHA256 dfaa443085be00c3c5d86ab2203c69a5a9dcb63d2e6486ba786035b2d81a9e3d
SHA512 890bbaa0e44b0bc23e0c873ca5a9b2988375d876e10cccadb6c27948b0ef579ebad5996cbfc8a7ea47c53fbfa24bfd4717b17bc3be5af5f545fdef397d802666

C:\Users\Admin\Desktop\UnblockWatch.pptx

MD5 b13ac61595bcd9c170ff6726caa5120e
SHA1 2f71593425c9a969c07711ad2ef962baf0bac319
SHA256 df8cabc5f6d6a529632e52b6f8c008352e31be627505b1629d2f7f0ebda10b34
SHA512 3113a62fd464e7497cf9a32583de7e639458a85ef5bc267ed1ac5e1105185145c927c5268efab8cbe3486bb131fc56aee8494df7266743ca7e747abf65b623aa

C:\Users\Admin\Desktop\TracePop.mp2v

MD5 01533025aa92983ffa5dc507b7f3b7e1
SHA1 a866136c57c24cfb840b17228494be3570682975
SHA256 1c1c555854b11c058b84677c104b0bea9335ad964f0df8cd83e75edf29bde5f0
SHA512 098212286d877cb3c3141bd7c4d84561c7318e290b2c7907fe40191eb0fc66a21bce4c736a64177ccc1f61a009f4e79a663b592824e0b8bd1548877ecfd62a4a

C:\Users\Admin\Desktop\SkipDisable.wvx

MD5 580276b3211d0c7ff94687a72e920c8f
SHA1 218fc5289c91d517448765c7b72504ca4727ff9f
SHA256 863fba3a91590f20118014c248e541e11afb6cc2f4ca8705d94b986a6376fb6b
SHA512 1540dc4f13d81617a1eb85d97bc8061482a110cb2a92e2a74717629917d36e200f81c3b95955a1decb404a5cfd47dfc720dc624a846a05a8486d74f056366234

C:\Users\Admin\Desktop\SendDisable.wma

MD5 eabd228a4585db7420a3b1fadcbea294
SHA1 ade2ff691f167ed8d9e97b8d8f1bd941dcdda26e
SHA256 d897e38d68ce191bd7dfbe178a0fa624bc5676c2cb53233f4bbc880cf51be979
SHA512 f2891934035d7b4766eae1a0ae489cde3a5e8576d6cca0c0f30890812aef674b98f868478b245ce3b60b9ace61895ef8ce71d04c6f9700439ca399dbf795b28a

C:\Users\Admin\Desktop\ResumeExpand.hta

MD5 3e1a70bcb519441f0e3d75960d6b9198
SHA1 d2c195bd9f86c894b3f043735982a60edb3c282b
SHA256 2776f631d94da0f5f799ff1fffc5fe430726eb2bf7b14c56c1c6134382b35c4b
SHA512 2d8c8a43d51e54ef62610ad98f2df05c90ae6cc54a215d8d14e64987fcfd6d912b1ab9e2fa9ffafd1fd69d62268bcdbfb903d3c640bb83ee1db598a5749b07ea

C:\Users\Admin\Desktop\PushCompare.emf

MD5 b26c16377111ab71b7e96ec4c3998c7e
SHA1 3c12f809fb39c880756f361b0199ea14ac87d30c
SHA256 30e8e302a0fb63755b1c8d8c61ed0579b73a4d0398ebf1cd933c9cb00616fc60
SHA512 e45aaf78b7cba21a9282564f9a722cd2dfbce52991a8bdf0dbce21a644eefd693c436651299d639476472013036108eee41866ac6ac00e1659607a16a62e07b1

C:\Users\Admin\Desktop\InstallSwitch.hta

MD5 8bacaee4387e7e47d87fb0d54497f1d7
SHA1 df0be17ddc6f1e528546cfbbed903426d5d99558
SHA256 24b372fb5191a33432378d520c855d8f1452c85571f3e2421c6c627eee613178
SHA512 cc79de918cb323834ad9cfd3dd759af472002ce0fcd9d0ff3074e234fcce5b11fd278e8ae95b1f3563e482f5f17d2e28bc73a7e6c1a369c33b4e90bb6da03458

C:\Users\Admin\Desktop\InitializeRedo.cr2

MD5 1d26b70686532658fcbbf4c1b447969f
SHA1 01065f76b72acae0ef611a4a68c9f2fdb1f1a430
SHA256 71c626b6e4a4b142ab497ccd38705332cf40ab2b8a0252312ecd86868e6a5644
SHA512 34128a96f36be2f8c994948a5d5b7190872c131554450ffbc3447d4ed155493e0fe070d294e24e92aebf7906022d20a9aa9a0cdc0bf6892cec6b31f183465629

C:\Users\Admin\Desktop\GroupSend.mht

MD5 10012a4b16d530d3e4de5573b36ededb
SHA1 0e6ff57a2061c1a76f40d01936ccb3cfb38fca5e
SHA256 90ecf9102118aa8fd8492076e5d15daffecedf2c54bac4313df206fd77881edd
SHA512 f899c3b2aab4b07172ed49778f5e444e377ec173906374fde226cf2cf3ca71d988fe2e88e8bc73fe0b41d5e9094f6df7f43944d735a096da6f228405568d4fea

C:\Users\Admin\Desktop\GrantInstall.m4a

MD5 68c033be62acaceee0cc9257ff9b262b
SHA1 2e2debcf187a2333ec1e1bb659749a8975e66643
SHA256 ec85ebef573b20e217475bb7beb915716c6b14dc97f8ce85128d1729d1005a0a
SHA512 3c0f6791690fc52ea3787d0c6c8f1fa90ab4fdfed52f3add92baa04c6b747c4dee6d198aaaef12de49e6e27debcab6c65b0bc955367af980c555547007d4e749

C:\Users\Admin\Desktop\FormatMerge.xml

MD5 fc11c3f8645738a24e5be8277b251fea
SHA1 287e28ec2b94d753360d47d76419bbfe3f18336a
SHA256 51c2b8e5380629226e3392d2d3678c1575d87744ca23fd99523437e7146c9ce6
SHA512 541dbee14b46a8d21eba071b509e8c52707e88014c1f2fafd38d46731bbd28d12994e33964cc96aa6bf9f5638050876d10bb332da9bce11a89b0e7de201b4c94

C:\Users\Admin\Desktop\EnterWait.rle

MD5 f2903ad311f51cb372d27ff679de48cf
SHA1 2b55c95c89448b1bb0403580ffe502c7f5efaa98
SHA256 df2e062700bc26ec2419c506ba81d1c57d57602e5451dee96a45015b9d2be3c6
SHA512 ad87355e576c64562a49fb0d1d5bd264352cf3d0267c81a885acd890270568080704dfe4d9941082d7c986f91b363131bb44f072d10282045eea726669aa2d4f

C:\Users\Admin\Desktop\DisconnectStep.dot

MD5 7532b5a89d8e8425c152832a2c4648f8
SHA1 577edddfcc1a134f68652f4fd57587a3a3cddeb9
SHA256 bef229cba8f70bef94e0bf55d778efb70e01b5f3a18a289300e6f92540d1e947
SHA512 4f2feecef28d315818fb4d3cab932abef9a4860f0141555a219fdade479180afe4594d99a43881935e6b5fcd05d9d6d2ffcc1540f927cd4a746d408f855b9885

C:\Users\Admin\Desktop\ConvertFromSplit.m1v

MD5 5f8f01b0322839c4b264de42d5ea0478
SHA1 76657ca936420b03a21854b51c008199e245d7ad
SHA256 489b9268cfa0addbbf54898ceb3b74a7a6c92e04a254fd01e136a53eff911b2b
SHA512 b8d9044466efbafee1b80674445a222f85df7229f05f520f08bef7669f6496f54816c1e6de41f160b5206ef8c182799b37472dc400b987980b97410ba1248767

C:\Users\Admin\Desktop\ConvertFromCheckpoint.3gp2

MD5 4f1a470fa86ad9c1a84c8ddb4329d76a
SHA1 f1b57d3ef553559dc97d067749abd00718f73df5
SHA256 da86928c95c6a2a50524bb113270bb92d34be06f0e959a0cb0437bd8412195a2
SHA512 e86f1e96819e7c0f1b5f5a2e8adcfad0b99a8661c03a17b273b5eac4d50279d835735d91a35838b805d916d9d38734045c750b299874bb3e681e03ff8e320a0a

C:\Users\Admin\Desktop\CompareComplete.vdx

MD5 f88fcd1e6ca9766fe6c3b5bd65fea9cd
SHA1 826a34de80198e83fdda3789bf2704f4c41191a1
SHA256 ef7d8e03dba23a11040a02caad54a4933ff9ba367479dfc42c1fa9b030e0f9c0
SHA512 46684145d45db73c1958f0c3e75339a6ae56c95cb63c34549c60f704bfa7ca729a8aefa80a34785eb64810ace8987ae41a0a8190fceec17a4f287c3d5f2e14c8

C:\Users\Public\Desktop\Google Chrome.lnk

MD5 2eb702965aeabb66a1ce760bffbe5d75
SHA1 356e3395cb57bd0999ad880b75f4b090f7ed5280
SHA256 c88861cef0572764300091ab10e857f28e603cea679638c8c919145006eae871
SHA512 09bc89f5910dc7c324948d880d60d7b87523bae73a628881837afc5492705f56e4c7214c22519a41080b50d7d64e3ced585072fbbfbb7adf968ee20861df41ed

C:\Users\Public\Desktop\Firefox.lnk

MD5 d453202d8232b602218441b59b945265
SHA1 11c6a47fd44c9ae39fee7ff428cf4ee9b92337a9
SHA256 340569335d39de8184e9ea87bd3888d322cfaca127522b407f0279a4441c7147
SHA512 701ac99e1406d39ec55dadbc201b99301e949dcb3ef7f26228d96ae3d14c759135056a42c68fe4b527e279aa23517555b037ee19ed56e4246981ff37cc530891

C:\Users\Public\Desktop\VLC media player.lnk

MD5 55bc4c4831db98457a0134293f270124
SHA1 651f0e86ada21e2f95f919fd0364099d4ca34f4e
SHA256 894e3cea04571f7cb39d18e72293dc5908363ba183b79d2a0873688decb0256b
SHA512 91c64fe850c807172ab44aa5b08f0b3073e1d7782f3464e9f24e4818098c609991c7192243eac99f243a6d0209ad6d25e04a2a4bb7bdab585ee5d1ad20d25943

C:\Users\Admin\Desktop\SendUninstall.lock

MD5 8751bff9f7adeea1dd9f3a8e23a70df9
SHA1 d98833352f3ace86f8c537b2fa9ef25e5e59afe7
SHA256 6a34f0df668cdcdf12bf6ffcf9b6f95dc7178d5278b6ded0249b982eb387f9a7
SHA512 06fa2c294caf641ffe558598825f8482145d8a63a176fe88c3dc109838ed6fe3b89e638066d98105f2cc741afcb9cf02f437b27e8e9d9474c4f601ed39eca7b1

C:\Users\Admin\Desktop\ResumeFormat.rtf

MD5 982ffcac235aec27f7a66e99b78bc3b1
SHA1 18ff4d2c10b29d666e4fceb7633babac8b81f499
SHA256 9a54de0b697826e3ac6d66b29d560abaf132ef4e327153c94be625e43a111b5f
SHA512 bc1fb2b8970032ebe486d4bff9bb2488c5c170dd0cde9cb9ff6f792d86730125561287fb67528cb645e340f7f297be53cc985612ad27d22c8524814eaf38fde9

C:\Users\Admin\Desktop\StartRead.mp4v

MD5 99c96d03aae8a1aa02f49ec96dfceebd
SHA1 740511fcc4b63a00ad4306f4f329d3fc2419e306
SHA256 632be0df75214492c4da4864752586210f46c31124fc4b1cecdb78a26e0d94cf
SHA512 0c5ce9f0f1a2dc334d903201e99a622661ab8b809bb5b489291b769779191ed6dfb81db333151092136e1023089f1ecf99101a1f166b83ce31c9ac25c8ca33f2

C:\Users\Admin\Desktop\ConfirmRequest.3gp2

MD5 d615655c1da145b5c06ec8144d00c818
SHA1 2bc3a790e7b2570f92cd6315dc4fb28f548d1766
SHA256 ef9d773870f22b7a578fd1bd4c822558c7a87cfed4147b66298a21f1996a2584
SHA512 d5cb20655683e910338b686ef37a480d220038a8eeb9d9fe4117602926d52c56949ad766a92cea5b74ef7b1876a8ee3d43132c9e2de0f6ccacb2c0c6d4ed3852

C:\Users\Admin\Desktop\PopPush.lnk

MD5 9b777d8bc0888e7d2f932b8136b5b341
SHA1 b693cc7d25b1824f2afdb6a8464919e82fdd917b
SHA256 710df260a01a3d1c77ac266dd37ea2d0841dae4592bb4941d1ab1e56432db630
SHA512 d973fdea5cdde00000ccb3b771fff3c4e0a7005c2fc0f8e4c9a0c5dc1b24ecbe9101906e6a7a813cd5344f3ebd305500810d314bad8ddf44134e0845fd907bff

C:\Users\Admin\Desktop\LimitShow.potm

MD5 89fb9fdfceba969c7f5c316ea1de2029
SHA1 90249c12deaca4b9b565bb746a91eedfa7e03ec3
SHA256 0a6552ca1ff7e7383df6fb4dc2b6663be74704f961806b73c8788e36a5d87f5c
SHA512 efb3e88044e88f34c270b2c9068249db9b7f9ab44264cf4eb037cbb49bce6937541846cddb0aaa1005c5628cd10cf818843811ef56a236525e1826d30586c1f1

memory/1924-728-0x0000000002220000-0x000000000222C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v0nctzun.xhg.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2268-738-0x000001B96D010000-0x000001B96D032000-memory.dmp

memory/2268-741-0x000001B96D0A0000-0x000001B96D1EF000-memory.dmp

memory/2496-820-0x0000000000400000-0x0000000000671000-memory.dmp

memory/2496-925-0x0000000000400000-0x0000000000671000-memory.dmp

memory/1924-1005-0x000000001BC20000-0x000000001BD66000-memory.dmp

memory/2496-1084-0x0000000000400000-0x0000000000671000-memory.dmp

C:\Users\Admin\Desktop\Trojan.exe

MD5 15da9bd223289ddbd72b041017b299f1
SHA1 98bd69a39508547ef9226c4bd4ace68c57b0f597
SHA256 f8650c9bdfbad7ea71c244b458e1867c45c0c077c4f352666dd9b4cf588299af
SHA512 493052b1600edc457799f44563ff192097229ae425fc0d1bba6d854fe77b14c6debe460cb48d583fcbc80e94e9c7d3b077c4693f993ef6b7bef5ffa70e056a60

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

MD5 aaf0727cf0ee91c7458cfef415781516
SHA1 8e32852edcc8535e40f7c7f3053be6ca33a43a05
SHA256 5b2ee6599886cf76f56ba490ed095d99ee6f7581366b097107e2901c260ca7c9
SHA512 1af368e734db987b9895bae27eb57f99b2e39c111b8bea1f181f452a5f2103147e5cdc03b01d683b098085a2158b3fc85e278993819caca1bd343c4e6a6882e1

memory/2496-1180-0x0000000000400000-0x0000000000671000-memory.dmp

memory/1676-1233-0x0000000000400000-0x0000000000474000-memory.dmp

memory/3220-1286-0x0000018F26CC0000-0x0000018F26DC0000-memory.dmp

memory/3220-1269-0x0000018F05020000-0x0000018F05120000-memory.dmp

memory/3220-1288-0x0000018F271E0000-0x0000018F27200000-memory.dmp

memory/3220-1302-0x0000018F27E00000-0x0000018F27F00000-memory.dmp

memory/3220-1331-0x0000018F26EA0000-0x0000018F26EC0000-memory.dmp

memory/2496-1333-0x0000000000400000-0x0000000000671000-memory.dmp

memory/3220-1335-0x0000018F27920000-0x0000018F27940000-memory.dmp

memory/3220-1334-0x0000018F27AA0000-0x0000018F27AC0000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\H3PMCBH8\www.bing[1].xml

MD5 bc54c11989d696eef9c2e76ecd8ff0f8
SHA1 261cadaef9db945e2b20b88e49b2f9654d529fb1
SHA256 1300bffd5651af8acf6d0b8b6b8aa6b12e692c628b17e841ee8c047fae188cc9
SHA512 bc4e0cf6857069c8ff683671772f59c97daf560217f1adc20a8b62144d5ebbdf44d58150634468e5633fa327b0475b09ddcbcba729334b7b7e2e7f31993dec7c

memory/2496-1596-0x0000000000400000-0x0000000000671000-memory.dmp