: New entries in the Windows Registry under HKCU\Software\Microsoft\Windows\CurrentVersion\Run . Recommended Actions
: Unexpected instances of powershell.exe or cmd.exe running in the background.
: If you have already executed the file, disconnect the device from the internet to stop data exfiltration.
