(Hashes:SHA256=6b311c0a977d21e772ac4e99762234da852bbf84293386fbe78622a96c0b052f* OR Hashes:SHA256=c60ead92cd376b689d1b4450f2578b36ea0bf64f3963cfa5546279fa4424c2a5*) OR (Image:\\schtasks.exe (CommandLine:Create* CommandLine:\/RU* CommandLine:SYSTEM* CommandLine:\\Microsoft\\Windows\\WinSrv*) (CommandLine:servtask.bat* OR CommandLine:execute.bat* OR CommandLine:doit.bat*)) OR (Image:\\schtasks.exe (CommandLine:Delete* CommandLine:\/F\ * CommandLine:\\Microsoft\\Windows\\WinSrv*)) OR (CommandLine:Get\-ChildItem* CommandLine:.save* CommandLine:Compress\-Archive\ \-DestinationPath\ C\:\\ProgramData\\*)