Malware Analysis Report

2024-11-16 12:21

Sample ID 240414-xvvhaabc65
Target Client.exe
SHA256 e31541442c6ea6b69ac70159e8a532842bbdfe79d3e2acae6cca56a805458e93
Tags
neshta evasion persistence spyware stealer upx xworm collection rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e31541442c6ea6b69ac70159e8a532842bbdfe79d3e2acae6cca56a805458e93

Threat Level: Known bad

The file Client.exe was found to be: Known bad.

Malicious Activity Summary

neshta evasion persistence spyware stealer upx xworm collection rat trojan

Detect Xworm Payload

Neshta

Modifies WinLogon for persistence

Detect Neshta payload

Xworm

Disables Task Manager via registry modification

ACProtect 1.3x - 1.4x DLL software

Reads user/profile data of web browsers

UPX packed file

Modifies system executable filetype association

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Drops startup file

Adds Run key to start application

Enumerates connected drives

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: EnumeratesProcesses

Kills process with taskkill

Modifies registry class

outlook_win_path

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

outlook_office_path

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: AddClipboardFormatListener

Creates scheduled task(s)

Enumerates system info in registry

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-14 19:10

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-14 19:10

Reported

2024-04-14 19:18

Platform

win7-20240221-en

Max time kernel

387s

Max time network

397s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client.exe"

Signatures

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Windows\\Media\\xdwdCli3nt.exe" C:\Users\Admin\AppData\Local\Temp\Client.exe N/A

Neshta

persistence spyware neshta

Disables Task Manager via registry modification

evasion

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\3tc52ygm.ha0.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\wbem\Performance\WmiApRpl_new.h C:\Windows\system32\wbem\WmiApSrv.exe N/A
File created C:\Windows\system32\perfh010.dat C:\Windows\system32\wbem\WmiApSrv.exe N/A
File created C:\Windows\system32\perfc007.dat C:\Windows\system32\wbem\WmiApSrv.exe N/A
File created C:\Windows\system32\perfh00C.dat C:\Windows\system32\wbem\WmiApSrv.exe N/A
File created C:\Windows\system32\perfh011.dat C:\Windows\system32\wbem\WmiApSrv.exe N/A
File opened for modification C:\Windows\system32\PerfStringBackup.INI C:\Windows\system32\wbem\WmiApSrv.exe N/A
File created C:\Windows\system32\wbem\Performance\WmiApRpl_new.ini C:\Windows\system32\wbem\WmiApSrv.exe N/A
File created C:\Windows\system32\perfh007.dat C:\Windows\system32\wbem\WmiApSrv.exe N/A
File created C:\Windows\system32\perfc009.dat C:\Windows\system32\wbem\WmiApSrv.exe N/A
File created C:\Windows\system32\perfh009.dat C:\Windows\system32\wbem\WmiApSrv.exe N/A
File created C:\Windows\system32\perfc010.dat C:\Windows\system32\wbem\WmiApSrv.exe N/A
File created C:\Windows\system32\perfc00A.dat C:\Windows\system32\wbem\WmiApSrv.exe N/A
File created C:\Windows\system32\perfh00A.dat C:\Windows\system32\wbem\WmiApSrv.exe N/A
File created C:\Windows\system32\perfc00C.dat C:\Windows\system32\wbem\WmiApSrv.exe N/A
File created C:\Windows\system32\perfc011.dat C:\Windows\system32\wbem\WmiApSrv.exe N/A
File created C:\Windows\system32\PerfStringBackup.TMP C:\Windows\system32\wbem\WmiApSrv.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\3tc52ygm.ha0.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\3tc52ygm.ha0.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\3tc52ygm.ha0.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\3tc52ygm.ha0.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\3tc52ygm.ha0.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\3tc52ygm.ha0.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\3tc52ygm.ha0.exe N/A
File created C:\Program Files\Nvidia\xdwdWichD0g.exe C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\3tc52ygm.ha0.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\3tc52ygm.ha0.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\3tc52ygm.ha0.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\3tc52ygm.ha0.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\3tc52ygm.ha0.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\3tc52ygm.ha0.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~4.EXE C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\3tc52ygm.ha0.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\3tc52ygm.ha0.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CNFNOT32.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\3tc52ygm.ha0.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\3tc52ygm.ha0.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\POWERPNT.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\3tc52ygm.ha0.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\WinMail.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\3tc52ygm.ha0.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\3tc52ygm.ha0.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\3tc52ygm.ha0.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\3tc52ygm.ha0.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\3tc52ygm.ha0.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ONENOTEM.EXE C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\3tc52ygm.ha0.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\3tc52ygm.ha0.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\3tc52ygm.ha0.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\Eula.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\3tc52ygm.ha0.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\3tc52ygm.ha0.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\3tc52ygm.ha0.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\3tc52ygm.ha0.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE C:\Windows\svchost.com N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Media\xdwdCli3nt.exe C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\Windows\Media C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\3tc52ygm.ha0.exe N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File created C:\Windows\Media\xdwdCli3nt.exe C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\Windows\inf\WmiApRpl\WmiApRpl.h C:\Windows\system32\wbem\WmiApSrv.exe N/A
File created C:\Windows\inf\WmiApRpl\0009\WmiApRpl.ini C:\Windows\system32\wbem\WmiApSrv.exe N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File created C:\Windows\inf\WmiApRpl\WmiApRpl.h C:\Windows\system32\wbem\WmiApSrv.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\3tc52ygm.ha0.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\WINLOC~1.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\WINLOC~1.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1036 wrote to memory of 2504 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1036 wrote to memory of 2504 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1036 wrote to memory of 2504 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1036 wrote to memory of 2156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1036 wrote to memory of 2156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1036 wrote to memory of 2156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1036 wrote to memory of 2156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1036 wrote to memory of 2156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1036 wrote to memory of 2156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1036 wrote to memory of 2156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1036 wrote to memory of 2156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1036 wrote to memory of 2156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1036 wrote to memory of 2156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1036 wrote to memory of 2156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1036 wrote to memory of 2156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1036 wrote to memory of 2156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1036 wrote to memory of 2156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1036 wrote to memory of 2156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1036 wrote to memory of 2156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1036 wrote to memory of 2156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1036 wrote to memory of 2156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1036 wrote to memory of 2156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1036 wrote to memory of 2156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1036 wrote to memory of 2156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1036 wrote to memory of 2156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1036 wrote to memory of 2156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1036 wrote to memory of 2156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1036 wrote to memory of 2156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1036 wrote to memory of 2156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1036 wrote to memory of 2156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1036 wrote to memory of 2156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1036 wrote to memory of 2156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1036 wrote to memory of 2156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1036 wrote to memory of 2156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1036 wrote to memory of 2156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1036 wrote to memory of 2156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1036 wrote to memory of 2156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1036 wrote to memory of 2156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1036 wrote to memory of 2156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1036 wrote to memory of 2156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1036 wrote to memory of 2156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1036 wrote to memory of 2156 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1036 wrote to memory of 2540 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1036 wrote to memory of 2540 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1036 wrote to memory of 2540 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1036 wrote to memory of 2424 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1036 wrote to memory of 2424 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1036 wrote to memory of 2424 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1036 wrote to memory of 2424 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1036 wrote to memory of 2424 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1036 wrote to memory of 2424 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1036 wrote to memory of 2424 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1036 wrote to memory of 2424 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1036 wrote to memory of 2424 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1036 wrote to memory of 2424 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1036 wrote to memory of 2424 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1036 wrote to memory of 2424 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1036 wrote to memory of 2424 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1036 wrote to memory of 2424 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1036 wrote to memory of 2424 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1036 wrote to memory of 2424 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1036 wrote to memory of 2424 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1036 wrote to memory of 2424 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1036 wrote to memory of 2424 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Client.exe

"C:\Users\Admin\AppData\Local\Temp\Client.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef2809758,0x7fef2809768,0x7fef2809778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1136 --field-trial-handle=1224,i,3101042175621427281,11404623780882350794,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1548 --field-trial-handle=1224,i,3101042175621427281,11404623780882350794,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1632 --field-trial-handle=1224,i,3101042175621427281,11404623780882350794,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2112 --field-trial-handle=1224,i,3101042175621427281,11404623780882350794,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2120 --field-trial-handle=1224,i,3101042175621427281,11404623780882350794,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1116 --field-trial-handle=1224,i,3101042175621427281,11404623780882350794,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3252 --field-trial-handle=1224,i,3101042175621427281,11404623780882350794,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3396 --field-trial-handle=1224,i,3101042175621427281,11404623780882350794,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3576 --field-trial-handle=1224,i,3101042175621427281,11404623780882350794,131072 /prefetch:8

C:\Windows\system32\CMD.exe

"CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Windows Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Windows Update" /tr "C:\Windows\Media\xdwdCli3nt.exe"

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "RunTimeBroker" /tr "C:\Program Files\Nvidia\xdwdWichD0g.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo 5 /tn "RunTimeBroker" /tr "C:\Program Files\Nvidia\xdwdWichD0g.exe" /RL HIGHEST

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3696 --field-trial-handle=1224,i,3101042175621427281,11404623780882350794,131072 /prefetch:1

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\wbem\wmiprvse.exe -Embedding

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\taskeng.exe

taskeng.exe {AF20FA0C-7D5A-49BD-B87B-5A8FE80040F1} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\3tc52ygm.ha0.exe"' & exit

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\3tc52ygm.ha0.exe"'

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\3tc52ygm.ha0.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\3tc52ygm.ha0.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\3tc52ygm.ha0.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\3tc52ygm.ha0.exe"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\WINLOC~1.EXE"

C:\Users\Admin\AppData\Local\Temp\WINLOC~1.EXE

C:\Users\Admin\AppData\Local\Temp\WINLOC~1.EXE

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x2ec

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c "TASKKILL /F /IM "explorer.exe""

C:\Windows\SysWOW64\taskkill.exe

TASKKILL /F /IM "explorer.exe"

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x1

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.178.4:443 www.google.com udp
US 8.8.8.8:53 apis.google.com udp
GB 216.58.201.110:443 apis.google.com tcp
US 8.8.8.8:53 19.ip.gl.ply.gg udp
US 147.185.221.19:25211 19.ip.gl.ply.gg tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 ogs.google.com udp
GB 172.217.16.238:443 ogs.google.com tcp
GB 172.217.16.238:443 ogs.google.com tcp
US 8.8.8.8:53 ssl.gstatic.com udp
GB 142.250.179.227:443 ssl.gstatic.com tcp
US 147.185.221.19:25211 19.ip.gl.ply.gg tcp
US 147.185.221.19:25211 19.ip.gl.ply.gg tcp
US 147.185.221.19:25211 19.ip.gl.ply.gg tcp
US 147.185.221.19:25211 19.ip.gl.ply.gg tcp
US 147.185.221.19:25211 19.ip.gl.ply.gg tcp
US 147.185.221.19:25211 19.ip.gl.ply.gg tcp
US 147.185.221.19:25211 19.ip.gl.ply.gg tcp
US 147.185.221.19:25211 19.ip.gl.ply.gg tcp
US 147.185.221.19:25211 19.ip.gl.ply.gg tcp
US 147.185.221.19:25211 19.ip.gl.ply.gg tcp

Files

memory/612-0-0x0000000000C10000-0x0000000000C50000-memory.dmp

memory/612-1-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

\??\pipe\crashpad_1036_TIFEMXQLOQPPFRDE

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

MD5 18e723571b00fb1694a3bad6c78e4054
SHA1 afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA256 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA512 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Windows\Media\xdwdCli3nt.exe

MD5 9fc40cac2ed78265409ca2f3b8d63508
SHA1 e8db3b3e20415e3d41a6a908322c26b050f4127b
SHA256 06f22a18b76db4b7523cc3c56896ee951dfb9edf000360806a42133a4ebfca42
SHA512 636b4be84b2e8838fe4b33cd3995afdc8cd321d50931f675f72eb4a3cfbc52f1eed048983c4c82688765c5bfe1e17febec7844b37f3dbfc8f326e4fda6a38969

memory/612-74-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

memory/612-75-0x0000000000430000-0x00000000004B0000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 af8676a81c6c90e6017fc5e6d9d35959
SHA1 c6f5383d2c6415960eaf9e4a91da300f01f6c7ea
SHA256 456287e56f801551ac38f6f7d7559d40e09deef0097ee7e98e730a4bfbc1b41e
SHA512 ae41fec8311cb51ae2d8a909ba902f049565bc8b447a202caa344e0dc9fe78b4947cb4dd2fb19f7adcbf05a15e3578aae29da7535fddaa42e11d6bb3cd5a58a3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 aedb376e6ba5ed73278472b13a56b1ed
SHA1 c7968442b7af5c81a06fa7a5b29626876b85ce88
SHA256 40638e4f31defd78416dd572d9d70ae7179681046d68cd933e3a1f7e54bd57b3
SHA512 7b6904253046281d93fcc08c6f759e9e60ffbf80ed409d9d2a7c319d2b0504a91fa77ad48dabcef9b238d99c4c2a58de669629186e243da0eb4209d4f4a70785

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\3081f00f-15db-498f-837f-7a355655f412.tmp

MD5 a44af168514441677bb086af7c495828
SHA1 955f974e58d96356c0c6e65b8da93fae7d41167b
SHA256 6cbb776063d3c49d7ac0550160c5c5f7e3b7b7608c77a50eb85c025b2e2f3b62
SHA512 38ee9be5718d25dc0a40827062bc2d86944a9faaf211354dcc67ef5cf9df9d872a362d3b6c637fd3dfe5ed0cd0f4fd63d0061e3751af46cd2810652ecb9aab09

memory/612-266-0x00000000004B0000-0x00000000004BC000-memory.dmp

C:\Windows\System32\wbem\Performance\WmiApRpl.h

MD5 b133a676d139032a27de3d9619e70091
SHA1 1248aa89938a13640252a79113930ede2f26f1fa
SHA256 ae2b6236d3eeb4822835714ae9444e5dcd21bc60f7a909f2962c43bc743c7b15
SHA512 c6b99e13d854ce7a6874497473614ee4bd81c490802783db1349ab851cd80d1dc06df8c1f6e434aba873a5bbf6125cc64104709064e19a9dc1c66dcde3f898f5

C:\Windows\System32\wbem\Performance\WmiApRpl.ini

MD5 46d08e3a55f007c523ac64dce6dcf478
SHA1 62edf88697e98d43f32090a2197bead7e7244245
SHA256 5b15b1fc32713447c3fbc952a0fb02f1fd78c6f9ac69087bdb240625b0282614
SHA512 b1f42e70c0ba866a9ed34eb531dbcbae1a659d7349c1e1a14b18b9e23d8cbd302d8509c6d3a28bc7509dd92e83bcb400201fb5d5a70f613421d81fe649d02e42

C:\Windows\System32\perfh007.dat

MD5 b69ab3aeddb720d6ef8c05ff88c23b38
SHA1 d830c2155159656ed1806c7c66cae2a54a2441fa
SHA256 24c81302014118e07ed97eaac0819ecf191e0cc3d69c02b16ecda60ac4718625
SHA512 4c7a99d45fb6e90c206439dcdd7cd198870ea5397a6584bb666eed53a8dc36faaac0b9cfc786a3ab4ecbbecc3a4ddd91560246d83b3319f2e37c1ed4bdbec32d

C:\Windows\System32\perfh009.dat

MD5 aecab86cc5c705d7a036cba758c1d7b0
SHA1 e88cf81fd282d91c7fc0efae13c13c55f4857b5e
SHA256 9bab92e274fcc0af88a7fdd143c9045b9d3a13cac2c00b63f00b320128dcc066
SHA512 e0aa8da41373fc64d0e3dc86c9e92a9dd5232f6bcae42dfe6f79012d7e780de85511a9ec6941cb39476632972573a18063d3ecd8b059b1d008d34f585d9edbe8

C:\Windows\System32\perfh011.dat

MD5 54c674d19c0ff72816402f66f6c3d37c
SHA1 2dcc0269545a213648d59dc84916d9ec2d62a138
SHA256 646d4ea2f0670691aa5b998c26626ede7623886ed3ac9bc9679018f85e584bb5
SHA512 4d451e9bef2c451cb9e86c7f4d705be65787c88df5281da94012bfbe5af496718ec3e48099ec3dff1d06fee7133293f10d649866fe59daa7951aebe2e5e67c1f

C:\Windows\System32\perfh010.dat

MD5 4623482c106cf6cc1bac198f31787b65
SHA1 5abb0decf7b42ef5daf7db012a742311932f6dad
SHA256 eceda45aedbf6454b79f010c891bead3844d43189972f6beeb5ccddb13cc0349
SHA512 afecefcec652856dd8b4275f11d75a68a582337b682309c4b61fd26ed7038b92e6b9aa72c1bfc350ce2caf5e357098b54eb1e448a4392960f9f82e01c447669f

C:\Windows\System32\perfc007.dat

MD5 19c7052de3b7281b4c1c6bfbb543c5dc
SHA1 d2e12081a14c1069c89f2cee7357a559c27786e7
SHA256 14ed6cb3198e80964cbc687a60aed24fb68d1bbd7588f983dc1fc6ae63514b4a
SHA512 289ca791909882c857014bd24e777fa84b533896508b562051b529d4c27e0d98bc41c801c6384b382f5dc0fa584dc8f713939c636543b0a5cf5ea2b396300f83

C:\Windows\System32\perfc010.dat

MD5 d73172c6cb697755f87cd047c474cf91
SHA1 abc5c7194abe32885a170ca666b7cce8251ac1d6
SHA256 9de801eebbe32699630f74082c9adea15069acd5afb138c9ecd5d4904e3cdc57
SHA512 7c9e4126bed6bc94a211281eed45cee30452519f125b82b143f78da32a3aac72d94d31757e1da22fb2f8a25099ffddec992e2c60987efb9da9b7a17831eafdf6

C:\Windows\System32\perfh00C.dat

MD5 5f684ce126de17a7d4433ed2494c5ca9
SHA1 ce1a30a477daa1bac2ec358ce58731429eafe911
SHA256 2e2ba0c47e71991d646ec380cde47f44318d695e6f3f56ec095955a129af1c2c
SHA512 4d0c2669b5002da14d44c21dc2f521fb37b6b41b61bca7b2a9af7c03f616dda9ca825f79a81d3401af626a90017654f9221a6ccc83010ff73de71967fc2f3f5b

C:\Windows\System32\perfc00C.dat

MD5 ce233fa5dc5adcb87a5185617a0ff6ac
SHA1 2e2747284b1204d3ab08733a29fdbabdf8dc55b9
SHA256 68d4de5e72cfd117151c44dd6ec74cf46fafd6c51357895d3025d7dac570ce31
SHA512 1e9c8e7f12d7c87b4faa0d587a8b374e491cd44f23e13fdb64bde3bc6bf3f2a2d3aba5444a13b199a19737a8170ee8d4ead17a883fbaee66b8b32b35b7577fc2

C:\Windows\System32\perfh00A.dat

MD5 7d0bac4e796872daa3f6dc82c57f4ca8
SHA1 b4f6bbe08fa8cd0784a94ac442ff937a3d3eea0a
SHA256 ce2ef9fc248965f1408d4b7a1e6db67494ba07a7bbdfa810418b30be66ad5879
SHA512 145a0e8543e0d79fe1a5ce268d710c807834a05da1e948f84d6a1818171cd4ef077ea44ba1fe439b07b095721e0109cbf7e4cfd7b57519ee44d9fd9fe1169a3e

C:\Windows\System32\perfc00A.dat

MD5 f0ecfbfa3e3e59fd02197018f7e9cb84
SHA1 961e9367a4ef3a189466c0a0a186faf8958bdbc4
SHA256 cfa293532a1b865b95093437d82bf8b682132aa335957f0c6d95edfbcc372324
SHA512 116e648cb3b591a6a94da5ef11234778924a2ff9e0b3d7f6f00310d8a58914d12f5ee1b63c2f88701bb00538ad0e42ae2561575333c5a1d63bb8c86863ac6294

C:\Windows\System32\perfc009.dat

MD5 b6a40d83e0fd90f0c9ba062102a8eb99
SHA1 d5b564584ea2b5eab4ddda1a225594d790cc585b
SHA256 0efde37b0dfcd63a634f9448fdfdfb9c689e7f28accaa063e7abfe5747c7a054
SHA512 7b4d6e842ce0433e965eb923f3359634494a735368a04832d85e5778c3a9590144e1c7cc0f336ac9a1208215838433dfb6ff5837c8494231989e3164c10d3f2c

memory/612-466-0x0000000000430000-0x00000000004B0000-memory.dmp

memory/612-1488-0x0000000000BD0000-0x0000000000BDA000-memory.dmp

memory/612-1849-0x000000001BA30000-0x000000001BAB2000-memory.dmp

memory/612-2810-0x0000000000C00000-0x0000000000C0C000-memory.dmp

memory/764-2846-0x000000001B2E0000-0x000000001B5C2000-memory.dmp

memory/764-2847-0x00000000023A0000-0x00000000023A8000-memory.dmp

memory/764-2848-0x000007FEEBE50000-0x000007FEEC7ED000-memory.dmp

memory/764-2849-0x0000000002530000-0x00000000025B0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\3tc52ygm.ha0.exe

MD5 d5f38176aa233dc3a85f2c3e7c6cf1f7
SHA1 022ea6d320067d2429b26cc424145610fa0ad28e
SHA256 db307d31bbb3d282685bf28e0abf464a931fa749633d784e39adbe7d8d8ead31
SHA512 f58f855e3a102b6ccb4197b38323149342c23c2182b6309074d5720c2b2f20d764c33b10013834e85f73e22c0b7ab95ec4171ff251523b598821ad632af5a893

memory/764-2850-0x000007FEEBE50000-0x000007FEEC7ED000-memory.dmp

memory/764-2855-0x0000000002530000-0x00000000025B0000-memory.dmp

memory/764-2854-0x0000000002530000-0x00000000025B0000-memory.dmp

memory/764-2856-0x000007FEEBE50000-0x000007FEEC7ED000-memory.dmp

\Users\Admin\AppData\Local\Temp\3582-490\3tc52ygm.ha0.exe

MD5 86a1cbee2b7dc5d64051c83c82c8d02b
SHA1 55d82d17f7f10d088909d0cb7116969d12308974
SHA256 d3f47cd85c525a0c3ed855949bf27023c27b24c51d388166d72d4fa8cae4c2f5
SHA512 6720ecb2799185bf2a03259766e3dd38aeaec674a3a28e657bd55131b1e9fb18fab118afc3aa7881de56d7af36d60bf8b29449065ba32c5cf0dea38fb892ecbb

C:\MSOCache\ALLUSE~1\{90140~1\DW20.EXE

MD5 02ee6a3424782531461fb2f10713d3c1
SHA1 b581a2c365d93ebb629e8363fd9f69afc673123f
SHA256 ead58c483cb20bcd57464f8a4929079539d634f469b213054bf737d227c026dc
SHA512 6c9272cb1b6bde3ee887e1463ab30ea76568cb1a285d11393337b78c4ad1c3b7e6ce47646a92ab6d70bff4b02ab9d699b84af9437b720e52dcd35579fe2693ec

C:\Windows\svchost.com

MD5 594d6120159f25621034a2b9e42aaf88
SHA1 bb981a4ae042d506ea0403cac880c2b759d40699
SHA256 db937f1cc5add635677135f175db53bd13ddd68751f43a11283ffc99f2e05842
SHA512 6545d41ebcbe34d09b46e9a7ac5245709de20ed15a8107efdfe1900a5b633f9114d364e464da28ebd5af5c5382d1078fb1567d94fc34b19d09835241597ad1aa

C:\Users\Admin\AppData\Local\Temp\WINLOC~1.EXE

MD5 9f93492e155d1bf27b8077e991e6a5a0
SHA1 159d72ad8074b56562b1014393be24b402c3af39
SHA256 43eef3b68ebaab3efbe15eb3046281e380aa78003a0eda8757a9e44f6a59ec7f
SHA512 270bc608ac79ca92c8db6a1455a26f24d80844badc514d5db29acade5748513d8378e3d6d803e9cfb7bdab6482a992b7c6a60845b255f3be5cbf92a0a69db918

memory/1472-2900-0x0000000001CB0000-0x000000000235B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\php5ts.dll

MD5 c9aff68f6673fae7580527e8c76805b6
SHA1 bb62cc1db82cfe07a8c08a36446569dfc9c76d10
SHA256 9b2c8b8c4cec301c4303f58ca4e8b261d516f10feb24573b092dfccc263baea4
SHA512 c7836f46e535046562046fdd8d3264cd712a78c0f41eab152c88ea91b17d34f000e2387ded7e9e7b3410332354aabf8ca7d37729eb68e46ab5ce58936e63ac56

memory/2232-2907-0x0000000000C60000-0x0000000000C8A000-memory.dmp

\Users\Admin\AppData\Local\Temp\ext\php_squall.dll

MD5 6ff84bc8812b8c079fa6de68cf36ab59
SHA1 ca8789bbd7b0193221f9518e6b2f5b319c32b717
SHA256 7587e29919a56b6f94675e49208e1ae908bcab09363734d846502c3b4ad54326
SHA512 5ef9d9c1038b055186147cbfcfbedf54d6ecc235468ef4968630eb03368cf2c3f39dd600f1ebf9ecfe9b7cc134235b01a983a4fe9b6f292775244f837ec2e81f

\Users\Admin\AppData\Local\Temp\squall.dll

MD5 b971f35ffcbbb307761eb89a21df12a7
SHA1 70de69bc3a53603eab2d83eae1363ce2448207cc
SHA256 05a30beb390ea86ca143a7e8f03c0a7aab7ddaf63229ee0d76366a217db9d864
SHA512 ea01509f808daeb4d5404c86162191f8f43a8fb009dc2be45b6d32e730b457c16c07d0ca56f56eb5f2f212507b7fa25da86dd1676ae480b147e633cacbc2b2c8

memory/2232-2910-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/2232-2912-0x0000000000D20000-0x0000000000DA2000-memory.dmp

memory/2232-2909-0x0000000000400000-0x0000000000AAB000-memory.dmp

C:\MSOCache\ALLUSE~1\{9A861~1\setup.exe

MD5 566ed4f62fdc96f175afedd811fa0370
SHA1 d4b47adc40e0d5a9391d3f6f2942d1889dd2a451
SHA256 e17cd94c08fc0e001a49f43a0801cea4625fb9aee211b6dfebebec446c21f460
SHA512 cdf8f508d396a1a0d2e0fc25f2ae46398b25039a0dafa0919737cc44e3e926ebae4c3aa26f1a3441511430f1a36241f8e61c515a5d9bd98ad4740d4d0f7b8db7

C:\MSOCache\ALLUSE~1\{9A861~1\ose.exe

MD5 58b58875a50a0d8b5e7be7d6ac685164
SHA1 1e0b89c1b2585c76e758e9141b846ed4477b0662
SHA256 2a0aa0763fdef9c38c5dd4d50703f0c7e27f4903c139804ec75e55f8388139ae
SHA512 d67214077162a105d01b11a8e207fab08b45b08fbfba0615a2ea146e1dd99eea35e4f02958a1754d3192292c00caf777f186f0a362e4b8b0da51fabbdb76375b

C:\MSOCache\ALLUSE~1\{90140~1\dwtrig20.exe

MD5 cf6c595d3e5e9667667af096762fd9c4
SHA1 9bb44da8d7f6457099cb56e4f7d1026963dce7ce
SHA256 593e60cc30ae0789448547195af77f550387f6648d45847ea244dd0dd7abf03d
SHA512 ff4f789df9e6a6d0fbe12b3250f951fcf11e857906c65e96a30bb46266e7e1180d6103a03db2f3764e0d1346b2de7afba8259ba080057e4a268e45e8654dfa80

C:\Users\Admin\AppData\Local\Temp\navalny.wma

MD5 5944589557a469c108c45b6b11ab44d6
SHA1 46c96899e0aeb44fd4593d2d58c35f7ce6800f60
SHA256 a2bb3b4646344762852947fe006d03f0a6d390bbe8a1d9921be2ac0ba657b914
SHA512 399662d6d97e0911e07808deee6448794db039e6cca485052d642b975a52545c0203eebb1ca6eea8198a46ebfc5263fbef6383fe89df001fcdea0144fbf2e0b4

C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE

MD5 5987f7c82fb40510ced50b62938f14ea
SHA1 ee53b958c92a83618344155ad9a4e7024b984cf4
SHA256 96c052a763af458b94cd865c7990d36ab6c8d31eb01370f6772d153d897e0aa4
SHA512 6fea9aea1b567ded824946547a136257d772098f771086d684bdbcd0bfc22f34ac9dd1faa19af6a9f9182960d3d19a41d88e54632a50b23c0a691bf1cfb38fe1

\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE

MD5 9e2b9928c89a9d0da1d3e8f4bd96afa7
SHA1 ec66cda99f44b62470c6930e5afda061579cde35
SHA256 8899b4ed3446b7d55b54defbc1acb7c5392a4b3bc8ec2cdc7c31171708965043
SHA512 2ca5ad1d0e12a8049de885b90b7f56fe77c868e0d6dae4ec4b6f3bc0bf7b2e73295cc9b1328c2b45357ffb0d7804622ab3f91a56140b098e93b691032d508156

C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE

MD5 3f67da7e800cd5b4af2283a9d74d2808
SHA1 f9288d052b20a9f4527e5a0f87f4249f5e4440f7
SHA256 31c10320edb2de22f37faee36611558db83b78a9c3c71ea0ed13c8dce25bf711
SHA512 6a40f4629ddae102d8737e921328e95717274cea16eb5f23bff6a6627c6047d7f27e7f6eb5cb52f53152e326e53b6ee44d9a9ee8eca7534a2f62fa457ac3d4e3

memory/2232-2964-0x0000000073DD0000-0x0000000073EB0000-memory.dmp

C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE

MD5 f7c714dbf8e08ca2ed1a2bfb8ca97668
SHA1 cc78bf232157f98b68b8d81327f9f826dabb18ab
SHA256 fc379fda348644fef660a3796861c122aa2dd5498e80279d1279a7ddb259e899
SHA512 28bc04c4df3f632865e68e83d045b3ecd2a263e62853c922b260d0734026e8a1541988fcbf4ddc9cf3aba6863214d6c6eb51f8bbb2586122a7cb01a70f08d16c

C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE

MD5 e5589ec1e4edb74cc7facdaac2acabfd
SHA1 9b12220318e848ed87bb7604d6f6f5df5dbc6b3f
SHA256 6ce92587a138ec07dac387a294d0bbe8ab629599d1a2868d2afaccea3b245d67
SHA512 f36ab33894681f51b9cec7ea5a738eb081a56bcd7625bdd2f5ef2c084e4beb7378be8f292af3aeae79d9317ba57cc41df89f00aef52e58987bdb2eac3f48171a

C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE

MD5 aa862d43cd8259716b6510c26af0269c
SHA1 513dad3d8a4b786f961644aed2bbeb10a5e8f999
SHA256 a2b85f985e19e929ab3ae775cd7086d45174c298b0c13a057ff4cf5eb2008fb7
SHA512 581ed3ff14d9ee9ccb1ed9ee0440276af88e63b23c95726fc36239280e9f96167eaeff5490f3694467a0fd72bbc66ad4e56439ce574a8655382762239353beca

C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE

MD5 4f0b4c7a090f4e6105f5e5e8f8429698
SHA1 9c493dc605b21e5d4b12b767700c22cb8811678b
SHA256 2d26880fec2494962fb00f8fb3197f9f4dbf1a7d9688b148ae702411df281d32
SHA512 76742708f911928b743b5df80b0ee69ee279dc6c5aa7a991f563244a40ee3538d7d5d7bdb2a7f00c699b07f3ff3d75d85a3364518ae5b6980346b4bd49772512

C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE

MD5 f34835c1f458f93cd9041bfa7d01ee7d
SHA1 283ac4059492a22e10f7fcef219e52e0400a8926
SHA256 afc5cc567db1a3318c89dd0efad2ca60a353290bc25d98bbbba8e6f1492e23b1
SHA512 d5cc2244f1b6492dd9e66c6e917c2dfaa11376d4a8d1dea2c241cd35ce947ad919e47d1a78dea0c1f6cd6fa1e74426f806ddcf9ed3e8f25a9ae7c370b09e6857

C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE

MD5 87f15006aea3b4433e226882a56f188d
SHA1 e3ad6beb8229af62b0824151dbf546c0506d4f65
SHA256 8d0045c74270281c705009d49441167c8a51ac70b720f84ff941b39fad220919
SHA512 b01a8af6dc836044d2adc6828654fa7a187c3f7ffe2a4db4c73021be6d121f9c1c47b1643513c3f25c0e1b5123b8ce2dc78b2ca8ce638a09c2171f158762c7c1

C:\Users\ALLUSE~1\PACKAG~1\{33D1F~1\VCREDI~1.EXE

MD5 cc5020b193486a88f373bedca78e24c8
SHA1 61744a1675ce10ddd196129b49331d517d7da884
SHA256 e87936bb1f0794b7622f8ce5b88e4b57b2358c4e0d0fd87c5cd9fa03b8429e2a
SHA512 bc2c77a25ad9f25ac19d8216dafc5417513cb57b9984237a5589a0bb684fdac4540695fcfb0df150556823b191014c96b002e4234a779bd064d36166afeb09d2

C:\Users\ALLUSE~1\PACKAG~1\{61087~1\VCREDI~1.EXE

MD5 9597098cfbc45fae685d9480d135ed13
SHA1 84401f03a7942a7e4fcd26e4414b227edd9b0f09
SHA256 45966655baaed42df92cd6d8094b4172c0e7a0320528b59cf63fca7c25d66e9c
SHA512 16afbdffe4b4b2e54b4cc96fe74e49ca367dea50752321ddf334756519812ba8ce147ef5459e421dc42e103bc3456aab1d185588cc86b35fa2315ac86b2a0164

C:\Users\ALLUSE~1\PACKAG~1\{EF6B0~1\VCREDI~1.EXE

MD5 07e194ce831b1846111eb6c8b176c86e
SHA1 b9c83ec3b0949cb661878fb1a8b43a073e15baf1
SHA256 d882f673ddf40a7ea6d89ce25e4ee55d94a5ef0b5403aa8d86656fd960d0e4ac
SHA512 55f9b6d3199aa60d836b6792ae55731236fb2a99c79ce8522e07e579c64eabb88fa413c02632deb87a361dd8490361aa1424beed2e01ba28be220f8c676a1bb5

C:\Users\ALLUSE~1\PACKAG~1\{4D8DC~1\VC_RED~1.EXE

MD5 24179b4581907abfef8a55ab41c97999
SHA1 e4de417476f43da4405f4340ebf6044f6b094337
SHA256 a8b960bcbf3045bedd2f6b59c521837ac4aee9c566001c01d8fc43b15b1dfdc7
SHA512 6fb0621ea3755db8af58d86bdc4f5324ba0832790e83375d07c378b6f569a109e14a78ed7d1a5e105b7a005194a31bd7771f3008b2026a0938d695e62f6ea6b8

memory/1472-3086-0x0000000001CB0000-0x000000000235B000-memory.dmp

memory/1580-3106-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2232-3107-0x0000000000400000-0x0000000000AAB000-memory.dmp

memory/2232-3108-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/1472-3109-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2232-3111-0x0000000000C60000-0x0000000000C8A000-memory.dmp

memory/2232-3112-0x0000000000D20000-0x0000000000DA2000-memory.dmp

memory/2232-3143-0x0000000073DD0000-0x0000000073EB0000-memory.dmp

memory/1580-3204-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1472-3205-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1580-3299-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1472-3300-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1580-3394-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1472-3395-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1580-3397-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2232-3491-0x0000000000400000-0x0000000000AAB000-memory.dmp

memory/2232-3584-0x0000000000400000-0x0000000000AAB000-memory.dmp

memory/2232-3647-0x0000000000400000-0x0000000000AAB000-memory.dmp

memory/2232-3650-0x0000000073DD0000-0x0000000073EB0000-memory.dmp

memory/2884-3651-0x0000000002B80000-0x0000000002B81000-memory.dmp

memory/612-3652-0x000007FEF5B00000-0x000007FEF64EC000-memory.dmp

memory/2668-3653-0x00000000026E0000-0x00000000026E1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-14 19:10

Reported

2024-04-14 19:41

Platform

win10v2004-20240412-en

Max time kernel

1799s

Max time network

1804s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Client.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Windows\\Media\\xdwdCli3nt.exe" N/A N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Windows\\Media\\xdwdCli3nt.exe" C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\Videos\\xdwdDaVinci Resolve.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\nm4lcfpk.r52.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Windows\\Media\\xdwdCli3nt.exe" C:\Program Files\Nvidia\xdwdWichD0g.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Windows\\Media\\xdwdCli3nt.exe" C:\Windows\Media\xdwdCli3nt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Windows\\Media\\xdwdCli3nt.exe" C:\Program Files\Nvidia\xdwdWichD0g.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Windows\\Media\\xdwdCli3nt.exe" N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation C:\Program Files\Nvidia\xdwdWichD0g.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\c5gi5eut.vuh.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation C:\Program Files\Nvidia\xdwdWichD0g.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation C:\Program Files\Nvidia\xdwdWichD0g.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation N/A N/A
Key value queried \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation N/A N/A
Key value queried \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\chns53ep.bxh.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation N/A N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\c5gi5eut.vuh.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\c5gi5eut.vuh.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Client.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\xdwdPaint.NET Update.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\nm4lcfpk.r52.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\c5gi5eut.vuh.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\H: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\J: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\L: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\Q: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\Y: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\B: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\M: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\N: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\P: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\R: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\S: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\K: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\O: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\V: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\X: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\Z: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\A: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\E: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\I: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\T: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\U: C:\Windows\System32\WScript.exe N/A
File opened (read-only) \??\W: C:\Windows\System32\WScript.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A icanhazip.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Nvidia\xdwdWichD0g.exe C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\Program Files\Nvidia C:\Windows\Media\xdwdCli3nt.exe N/A
File opened for modification C:\Program Files\Nvidia\xdwdWichD0g.exe C:\Program Files\Nvidia\xdwdWichD0g.exe N/A
File opened for modification C:\Program Files\Nvidia\xdwdWichD0g.exe C:\Windows\Media\xdwdCli3nt.exe N/A
File opened for modification C:\Program Files\Nvidia N/A N/A
File opened for modification C:\Program Files\Nvidia N/A N/A
File opened for modification C:\Program Files\Nvidia C:\Program Files\Nvidia\xdwdWichD0g.exe N/A
File opened for modification C:\Program Files\Nvidia\xdwdWichD0g.exe C:\Program Files\Nvidia\xdwdWichD0g.exe N/A
File opened for modification C:\Program Files\Nvidia N/A N/A
File opened for modification C:\Program Files\Nvidia C:\Windows\Media\xdwdCli3nt.exe N/A
File opened for modification C:\Program Files\Nvidia\xdwdWichD0g.exe N/A N/A
File opened for modification C:\Program Files\Nvidia\xdwdWichD0g.exe N/A N/A
File opened for modification C:\Program Files\Nvidia\xdwdWichD0g.exe N/A N/A
File created C:\Program Files\Nvidia\xdwdWichD0g.exe C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\Program Files\Nvidia\xdwdWichD0g.exe C:\Windows\Media\xdwdCli3nt.exe N/A
File opened for modification C:\Program Files\Nvidia C:\Program Files\Nvidia\xdwdWichD0g.exe N/A
File opened for modification C:\Program Files\Nvidia C:\Windows\Media\xdwdCli3nt.exe N/A
File opened for modification C:\Program Files\Nvidia\xdwdWichD0g.exe N/A N/A
File opened for modification C:\Program Files\Nvidia N/A N/A
File opened for modification C:\Program Files\Nvidia N/A N/A
File opened for modification C:\Program Files\Nvidia C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\Program Files\Nvidia\xdwdWichD0g.exe C:\Program Files\Nvidia\xdwdWichD0g.exe N/A
File opened for modification C:\Program Files\Nvidia\xdwdWichD0g.exe C:\Windows\Media\xdwdCli3nt.exe N/A
File opened for modification C:\Program Files\Nvidia C:\Program Files\Nvidia\xdwdWichD0g.exe N/A
File opened for modification C:\Program Files\Nvidia\xdwdWichD0g.exe N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Media\xdwdCli3nt.exe C:\Windows\Media\xdwdCli3nt.exe N/A
File opened for modification C:\Windows\Media\xdwdCli3nt.exe N/A N/A
File opened for modification C:\Windows\Media\xdwdCli3nt.exe C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\Windows\Media\xdwdCli3nt.exe C:\Program Files\Nvidia\xdwdWichD0g.exe N/A
File opened for modification C:\Windows\Media C:\Program Files\Nvidia\xdwdWichD0g.exe N/A
File opened for modification C:\Windows\Media\xdwdCli3nt.exe C:\Windows\Media\xdwdCli3nt.exe N/A
File opened for modification C:\Windows\Media\xdwdCli3nt.exe N/A N/A
File opened for modification C:\Windows\Media N/A N/A
File opened for modification C:\Windows\Media C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\Windows\Media C:\Windows\Media\xdwdCli3nt.exe N/A
File opened for modification C:\Windows\Media C:\Program Files\Nvidia\xdwdWichD0g.exe N/A
File opened for modification C:\Windows\Media\xdwdCli3nt.exe N/A N/A
File opened for modification C:\Windows\Media N/A N/A
File opened for modification C:\Windows\Media\xdwdCli3nt.exe C:\Program Files\Nvidia\xdwdWichD0g.exe N/A
File opened for modification C:\Windows\Media N/A N/A
File opened for modification C:\Windows\Media C:\Program Files\Nvidia\xdwdWichD0g.exe N/A
File opened for modification C:\Windows\Media\xdwdCli3nt.exe N/A N/A
File opened for modification C:\Windows\Media\xdwdCli3nt.exe N/A N/A
File opened for modification C:\Windows\Media N/A N/A
File opened for modification C:\Windows\Media\xdwdCli3nt.exe C:\Program Files\Nvidia\xdwdWichD0g.exe N/A
File opened for modification C:\Windows\Media C:\Windows\Media\xdwdCli3nt.exe N/A
File opened for modification C:\Windows\Media C:\Windows\Media\xdwdCli3nt.exe N/A
File created C:\Windows\Media\xdwdCli3nt.exe C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
File opened for modification C:\Windows\Media\xdwdCli3nt.exe C:\Windows\Media\xdwdCli3nt.exe N/A
File opened for modification C:\Windows\Media N/A N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\Client.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files\Nvidia\xdwdWichD0g.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ N/A N/A
Key created \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1826666146-2574340311-1877551059-1000\{59CD9CC6-A721-42F1-BE59-68BDB0C4779F} C:\Windows\System32\WScript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files\Nvidia\xdwdWichD0g.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ N/A N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files\Nvidia\xdwdWichD0g.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\Nvidia\xdwdWichD0g.exe N/A
N/A N/A C:\Program Files\Nvidia\xdwdWichD0g.exe N/A
N/A N/A C:\Program Files\Nvidia\xdwdWichD0g.exe N/A
N/A N/A C:\Program Files\Nvidia\xdwdWichD0g.exe N/A
N/A N/A C:\Program Files\Nvidia\xdwdWichD0g.exe N/A
N/A N/A C:\Program Files\Nvidia\xdwdWichD0g.exe N/A
N/A N/A C:\Program Files\Nvidia\xdwdWichD0g.exe N/A
N/A N/A C:\Program Files\Nvidia\xdwdWichD0g.exe N/A
N/A N/A C:\Program Files\Nvidia\xdwdWichD0g.exe N/A
N/A N/A C:\Program Files\Nvidia\xdwdWichD0g.exe N/A
N/A N/A C:\Program Files\Nvidia\xdwdWichD0g.exe N/A
N/A N/A C:\Program Files\Nvidia\xdwdWichD0g.exe N/A
N/A N/A C:\Program Files\Nvidia\xdwdWichD0g.exe N/A
N/A N/A C:\Program Files\Nvidia\xdwdWichD0g.exe N/A
N/A N/A C:\Program Files\Nvidia\xdwdWichD0g.exe N/A
N/A N/A C:\Program Files\Nvidia\xdwdWichD0g.exe N/A
N/A N/A C:\Program Files\Nvidia\xdwdWichD0g.exe N/A
N/A N/A C:\Program Files\Nvidia\xdwdWichD0g.exe N/A
N/A N/A C:\Program Files\Nvidia\xdwdWichD0g.exe N/A
N/A N/A C:\Program Files\Nvidia\xdwdWichD0g.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\c5gi5eut.vuh.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WScript.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WScript.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WScript.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WScript.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Nvidia\xdwdWichD0g.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Media\xdwdCli3nt.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\c5gi5eut.vuh.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\c5gi5eut.vuh.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\nm4lcfpk.r52.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Nvidia\xdwdWichD0g.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Media\xdwdCli3nt.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Nvidia\xdwdWichD0g.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Media\xdwdCli3nt.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Client.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\c5gi5eut.vuh.exe N/A
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1668 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 1668 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 1724 wrote to memory of 4472 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 1724 wrote to memory of 4472 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 1668 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 1668 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 2904 wrote to memory of 1640 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 2904 wrote to memory of 1640 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 1668 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 1668 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 3044 wrote to memory of 3260 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 3044 wrote to memory of 3260 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 1668 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 1668 wrote to memory of 3264 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 3264 wrote to memory of 1684 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 3264 wrote to memory of 1684 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 1668 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 1668 wrote to memory of 5000 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 5000 wrote to memory of 3576 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 5000 wrote to memory of 3576 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 1668 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 1668 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 1336 wrote to memory of 1672 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 1336 wrote to memory of 1672 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 1668 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 1668 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 5040 wrote to memory of 3200 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 5040 wrote to memory of 3200 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 1668 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 1668 wrote to memory of 4948 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 4948 wrote to memory of 3168 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 4948 wrote to memory of 3168 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 1668 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 1668 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 2592 wrote to memory of 4940 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 2592 wrote to memory of 4940 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 1668 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 1668 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 3528 wrote to memory of 4064 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 3528 wrote to memory of 4064 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 1668 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 1668 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 4756 wrote to memory of 4612 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 4756 wrote to memory of 4612 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 1668 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 1668 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 3700 wrote to memory of 2928 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 3700 wrote to memory of 2928 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 1668 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 1668 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 4280 wrote to memory of 3448 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 4280 wrote to memory of 3448 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 1668 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 1668 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 2024 wrote to memory of 4920 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 2024 wrote to memory of 4920 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 1668 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 1668 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 5032 wrote to memory of 4488 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 5032 wrote to memory of 4488 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 1668 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 1668 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\Client.exe C:\Windows\SYSTEM32\CMD.exe
PID 1048 wrote to memory of 4792 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe
PID 1048 wrote to memory of 4792 N/A C:\Windows\SYSTEM32\CMD.exe C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Client.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Client.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Client.exe

"C:\Users\Admin\AppData\Local\Temp\Client.exe"

C:\Windows\SYSTEM32\CMD.exe

"CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Windows Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Windows Update" /tr "C:\Windows\Media\xdwdCli3nt.exe"

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "RunTimeBroker" /tr "C:\Program Files\Nvidia\xdwdWichD0g.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo 5 /tn "RunTimeBroker" /tr "C:\Program Files\Nvidia\xdwdWichD0g.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb93ec46f8,0x7ffb93ec4708,0x7ffb93ec4718

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb93ec46f8,0x7ffb93ec4708,0x7ffb93ec4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,4127048059806675931,18300685312778115470,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,4127048059806675931,18300685312778115470,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,4127048059806675931,18300685312778115470,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,4127048059806675931,18300685312778115470,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,4127048059806675931,18300685312778115470,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,853376781951720815,13929046712589834677,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,4127048059806675931,18300685312778115470,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4064 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,4127048059806675931,18300685312778115470,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4056 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,4127048059806675931,18300685312778115470,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,4127048059806675931,18300685312778115470,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3404 /prefetch:8

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,4127048059806675931,18300685312778115470,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3404 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,4127048059806675931,18300685312778115470,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,4127048059806675931,18300685312778115470,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,4127048059806675931,18300685312778115470,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4072 /prefetch:1

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\chns53ep.bxh.exe"' & exit

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\chns53ep.bxh.exe"'

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\chns53ep.bxh.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\chns53ep.bxh.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2E50.tmp\2E51.tmp\2E52.bat C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\chns53ep.bxh.exe"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\i.VBS"

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x4e8 0x444

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Program Files\Nvidia\xdwdWichD0g.exe

"C:\Program Files\Nvidia\xdwdWichD0g.exe"

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,4127048059806675931,18300685312778115470,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2692 /prefetch:2

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\Media\xdwdCli3nt.exe

"C:\Windows\Media\xdwdCli3nt.exe"

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\c5gi5eut.vuh.exe"' & exit

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\c5gi5eut.vuh.exe"'

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\c5gi5eut.vuh.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\c5gi5eut.vuh.exe"

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\c5gi5eut.vuh.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'c5gi5eut.vuh.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb93ec46f8,0x7ffb93ec4708,0x7ffb93ec4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2232,11001354054250481515,14963082434788664577,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2244 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2232,11001354054250481515,14963082434788664577,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2232,11001354054250481515,14963082434788664577,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,11001354054250481515,14963082434788664577,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,11001354054250481515,14963082434788664577,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,11001354054250481515,14963082434788664577,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,11001354054250481515,14963082434788664577,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3604 /prefetch:1

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2232,11001354054250481515,14963082434788664577,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3608 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2232,11001354054250481515,14963082434788664577,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3608 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,11001354054250481515,14963082434788664577,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,11001354054250481515,14963082434788664577,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,11001354054250481515,14963082434788664577,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4460 /prefetch:1

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\nm4lcfpk.r52.exe"' & exit

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\nm4lcfpk.r52.exe"'

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\nm4lcfpk.r52.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\nm4lcfpk.r52.exe"

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Program Files\Nvidia\xdwdWichD0g.exe

"C:\Program Files\Nvidia\xdwdWichD0g.exe"

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\SYSTEM32\CMD.exe

"CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "VLC Media Player Update" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\schtasks.exe

SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "VLC Media Player Update" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe"

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Rainmeter" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdPaint.NET Update.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo 5 /tn "Rainmeter" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdPaint.NET Update.exe" /RL HIGHEST

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\Media\xdwdCli3nt.exe

"C:\Windows\Media\xdwdCli3nt.exe"

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2232,11001354054250481515,14963082434788664577,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3676 /prefetch:2

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Program Files\Nvidia\xdwdWichD0g.exe

"C:\Program Files\Nvidia\xdwdWichD0g.exe"

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\xdwdPaint.NET"

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\Media\xdwdCli3nt.exe

"C:\Windows\Media\xdwdCli3nt.exe"

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "FL Studio" /tr "C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe" /RL HIGHEST

C:\Windows\SYSTEM32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "System Update" /tr "C:\Windows\Media\xdwdCli3nt.exe" /RL HIGHEST

Network

Country Destination Domain Proto
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 161.76.36.23.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 19.ip.gl.ply.gg udp
US 147.185.221.19:25211 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 19.221.185.147.in-addr.arpa udp
US 147.185.221.19:25211 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 208.14.97.104.in-addr.arpa udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 104.76.36.23.in-addr.arpa udp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp
US 147.185.221.19:25211 19.ip.gl.ply.gg tcp
US 147.185.221.19:25211 19.ip.gl.ply.gg tcp
US 147.185.221.19:25211 19.ip.gl.ply.gg tcp
N/A 224.0.0.251:5353 udp
US 147.185.221.19:25211 19.ip.gl.ply.gg tcp
US 147.185.221.19:25211 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 19.ip.gl.ply.gg udp
US 147.185.221.19:25211 19.ip.gl.ply.gg tcp
US 147.185.221.19:25211 19.ip.gl.ply.gg tcp
US 147.185.221.19:25211 19.ip.gl.ply.gg tcp
US 147.185.221.19:25211 19.ip.gl.ply.gg tcp
US 147.185.221.19:25211 19.ip.gl.ply.gg tcp
US 147.185.221.19:25211 19.ip.gl.ply.gg tcp
US 147.185.221.19:25211 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 icanhazip.com udp
US 104.16.184.241:80 icanhazip.com tcp
US 8.8.8.8:53 241.184.16.104.in-addr.arpa udp
US 147.185.221.19:25211 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 php-oman.gl.at.ply.gg udp
US 147.185.221.19:25211 php-oman.gl.at.ply.gg tcp
US 147.185.221.19:25211 php-oman.gl.at.ply.gg tcp
US 147.185.221.19:25211 php-oman.gl.at.ply.gg tcp
US 147.185.221.19:25211 php-oman.gl.at.ply.gg tcp
US 147.185.221.19:25211 php-oman.gl.at.ply.gg tcp
US 8.8.8.8:53 php-oman.gl.at.ply.gg udp
US 147.185.221.19:25211 php-oman.gl.at.ply.gg tcp
US 8.8.8.8:53 19.ip.gl.ply.gg udp
US 147.185.221.19:25211 19.ip.gl.ply.gg tcp
US 147.185.221.19:25211 19.ip.gl.ply.gg tcp
US 147.185.221.19:25211 19.ip.gl.ply.gg tcp
US 8.8.8.8:53 php-oman.gl.at.ply.gg udp
US 147.185.221.19:25211 php-oman.gl.at.ply.gg tcp
US 147.185.221.19:25211 php-oman.gl.at.ply.gg tcp
US 8.8.8.8:53 php-oman.gl.at.ply.gg udp
US 147.185.221.19:25211 php-oman.gl.at.ply.gg tcp

Files

memory/1668-0-0x0000000000960000-0x00000000009A0000-memory.dmp

memory/1668-1-0x00007FFB93260000-0x00007FFB93D21000-memory.dmp

C:\Windows\Media\xdwdCli3nt.exe

MD5 63d226309f64a9e9e7ebdc3f1ea44a66
SHA1 f32c4ea507f3429fa5047fb95b041a9543c1e22f
SHA256 bc24ccef9b9a26a42b51f4741029008d272569b439776c03b46a0551c70090f6
SHA512 cf57e6c19629f6330c861f85436f6c90c0fb269fcfe413648eb39bede909fa8e68dcfd7ae9dc056b0c5edd1c5e4d7e0ff21f018d57073229bf6e33601a2c3c4b

memory/1668-24-0x000000001BD60000-0x000000001BD70000-memory.dmp

memory/1668-67-0x00007FFB93260000-0x00007FFB93D21000-memory.dmp

memory/1668-99-0x0000000002B10000-0x0000000002B1C000-memory.dmp

memory/1668-98-0x000000001DFD0000-0x000000001E046000-memory.dmp

memory/1668-100-0x000000001BCA0000-0x000000001BCBE000-memory.dmp

memory/1668-234-0x000000001BD60000-0x000000001BD70000-memory.dmp

memory/1668-1277-0x000000001D320000-0x000000001D466000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 62677bdc196e22a7b4c8a595efb130cd
SHA1 bd2adf18caf764c8f034c08b6269d9693875f3c8
SHA256 b540616d7e73ff22642f4fbe2bea0f9daa2f1166391e76cf817b2a93e0bd41d6
SHA512 d23c3b9662eea6a75382242fb8e8084abc1127afbd2632f161df71a2aefaf223621511e1bf6229cf7e86313101a8d9dfe2f20e1c0bd481066e1969cd6fa75e32

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 22bb6af63c7710354ac7070e45ac988c
SHA1 34d29d6b316e39ed8fb8c5efb42c4269040fcf1f
SHA256 1a70d5d3dfc04e6f5cfec1ceb06676039229f895f30007fdb55b043ed48ab4fb
SHA512 42c12820b5237caa5b4d5149901f84db6619a69e85cb869df06e07b3cad1b51e0c2d0545ee0129cbc8e7947fd8c2989def537ad2d58a1d5bf2c2a1bf60041ca3

\??\pipe\LOCAL\crashpad_4260_UOYIWRRNEXNXXYXC

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 8ba2d0f67953c7377d0372fba50016a1
SHA1 49e026cfbff145de06b3db3c64ee77d7882dc132
SHA256 0e52b6fd7a045643584bc1d3d3efacc1fb84b1c8ea052501da4941d60c302089
SHA512 bc94dde4656bd5fa3688eb150924c8e09f83b49b186b6193c6792dcb17a47339dbe488f168668ba017763804cae13f78fae2192491fde99d96291b8940f64dfd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 dede8936c6800e9beb9bdf4404df571a
SHA1 ec6c3a5b9da7a25bd6c385abc8caef86c6a56ca9
SHA256 e20023e790e90b2539f2371e48bd2b0d3bbc033b54ec5fb66c90bd7b28cd3fa6
SHA512 951c31e5c0cad15019feb30edc7aec2463068820086614733114898930d567b04ddbabd1d6688faea501802600ebb18e2fafd9071fef5a08cc735a7ef27575b6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 4c2fb691ca3e2319c7453baa5b7da1a6
SHA1 3772cd58c53e1d6f2133820c81e86c451b2a1fd2
SHA256 3d4d88f33a529e37e1fea49e29c222167a7f3bb79fb0194db88934c83a2e30ef
SHA512 d9a43c1d63aabd44459ea0e903c651022742bbdb5c845e7a453c4db5d475ba3f86d8cffb8ca36b7932c64ff928ef640fb0923ecf529633fe3fbc489e8ec43540

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 efba851e4277e2046b635aac12f725c1
SHA1 d12151bce12679c3d50c19b4e19f158001f2d3fb
SHA256 b99c0b1e126a7358de6ee78afdb8f8a4801479a288df18139f9f7b317fe17c83
SHA512 5063e8bf7f94ae96ee4709760fb82de1d27e6c9ebd6dc3c968189a793788a1173902a83affe1445bc5eef5561f8328181eb922c75b43e2eefdcb31b64f6675d1

memory/1668-2041-0x0000000002A10000-0x0000000002A1C000-memory.dmp

memory/324-2065-0x00007FFB93260000-0x00007FFB93D21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rvqjs1wt.ndm.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/324-2066-0x00000245E9080000-0x00000245E9090000-memory.dmp

memory/324-2068-0x00000245E9190000-0x00000245E91B2000-memory.dmp

memory/324-2067-0x00000245E9080000-0x00000245E9090000-memory.dmp

memory/324-2069-0x00000245E9080000-0x00000245E9090000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\chns53ep.bxh.exe

MD5 49edb4ec07b391ea6870fe2ee46f3a12
SHA1 949fc2320265bfa9fbc8c14f407b65f9c021fc60
SHA256 30753793ce4b36830eb0d39ab6c252c2d1054f0a29270f9719696353bde316c7
SHA512 6f975eae7906d55fd8f3ea1abcd8d455058d76c1add9a31b8df3377725aafd0d4bb7726fd2c31a024894d362ed132e98a4e30f569d37c2bb3ed1ff79d7d429c4

memory/4600-2089-0x0000000000400000-0x0000000000536000-memory.dmp

memory/324-2092-0x00007FFB93260000-0x00007FFB93D21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2E50.tmp\2E51.tmp\2E52.bat

MD5 73fe4a3a31192292dd762ad07ba14ea5
SHA1 81e8b9bed4bed6f82d8b277e1f4ff087651563ca
SHA256 2a0e0e7e8f76678e692b14c6be787c536428226dd9782495f1abea66b90fa6bc
SHA512 5ad959ca609da146d093de2c731b370a5c1f8ab56a0968307bba5859ec0d8e067d79da04d26f66fdd7aa81fdc35e0812e9993f848ed927c187021107ce44357b

C:\Users\Admin\AppData\Roaming\i.VBS

MD5 64ab69f1167c5ab2bdc6e27119317d94
SHA1 c3d0fa731e7b82aab121a615fba5f7556013695e
SHA256 7a26cf62afb1ba6efc63865a151cb64a0cfb2de1b22543aff89ecfaacacf0f4d
SHA512 0c13d4c5b4d6055acf110f88d915ad24885bdaa91189c6fcd4f769605ae010764b4f7b848ad394ec74979c2b9b65cf354a5847ee54805f935f711f128f444189

C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

MD5 7050d5ae8acfbe560fa11073fef8185d
SHA1 5bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256 cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512 a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

C:\Users\Admin\AppData\Roaming\hh.mp3

MD5 e5ac8bc2410ac31a25e81fd066e446fd
SHA1 af005df3d4bee956931c1228f784e738a742319f
SHA256 418b3618c245f1f853c0c8389f6dd16f45ba36851e1dd7d05f3d70e325927d33
SHA512 116eb01e08bc7d7812c5985b9f0f73b53420c188dd3c5bd540342a16405eddd0a3cdcdd36f6b39baeb7f8509bd60ca374cadeaade3e6e00fdf12cb1d41aa7aed

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

MD5 41e020ee798eceb4ac90cba2142a7a1b
SHA1 714ffdf4ddc441ae72c3fb2e4548a8219ad06fb8
SHA256 60968b6f285adc7f7347c43815c17a27a383807366f91212b81b17cac20131a8
SHA512 29d22703589df058c7f3509ce58f8e2f8fdf1fc2077e0622a796e4f9c17e563994e3cce83d74b5d58d79ae5b335a1e114c86ca7fe149bab10c3656c0acb0ae76

memory/4600-2232-0x0000000000400000-0x0000000000536000-memory.dmp

C:\Program Files\Nvidia\xdwdWichD0g.exe

MD5 0b2836be37a23e70b76739b41d418932
SHA1 97a75275ec4a318bad2c1f92e7c5403c47397d4c
SHA256 8ed57cc565dc1e3d77922d314f955ee7c4ecadac5f0c1fd0e259ea37df36ff01
SHA512 ceeea8a413788cad01a0c72f4aa79983e315a940e0e3dc142993e9c984a1d902922f502c974f38c500781ffd082e79a368433944b7235be390bbf9638dfe408c

memory/3164-2483-0x00007FFB93260000-0x00007FFB93D21000-memory.dmp

memory/3164-2555-0x00007FFB93260000-0x00007FFB93D21000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 39e8a1343e0da534528ac13facc6e16d
SHA1 c920b790f808228e19cf82715b1ea2d5c8a4d684
SHA256 c8476cea92969267ed33d2efeb2572ca5d23bccc01056600d70fdc8e01a54b76
SHA512 f8da3dcdac90369927242efc3fe63bddbe6a8dd891d01f5fb0ed13fc5b097e485c9691235014ed727a11d20574c9ab2f9a456fd8bff64147e8596aec2c14c04f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 7225a278de8b3b51361282c2fd0aaa28
SHA1 118bec7180950c89e024f42ba9d79d6b726906ec
SHA256 8d727253d02324f1319e9cec9c154f1260dff74a039a8adae79887cd3e089f39
SHA512 7d13bbe33bde237bba9a7a3b1073b9cf7dae3310362c7cdb90e94f68dc51caa7236f45338f9d31038b25a0b0e8eb23f83d269537ab91668d965ef70143fc6b02

memory/4880-2606-0x00007FFB93260000-0x00007FFB93D21000-memory.dmp

memory/3164-2607-0x00007FFB93260000-0x00007FFB93D21000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

MD5 fd5f4fa9095123536134666b535bdc75
SHA1 eb8a3b1c31d2a21bd5d698d5a43f57174cdcba7e
SHA256 e59f776ecd79b838ede23cc299db6d6571a418df68863fc84a2259e740ccb9bb
SHA512 a55411a52ae37266dbb1c022004243cfa068b75aea634340c1883395148ff6b1254fa79328a0ecd4d5a6befd7659a839e4bcfd5f6e66320812b00b0f306752fe

memory/4880-2648-0x00007FFB93260000-0x00007FFB93D21000-memory.dmp

memory/1668-2661-0x000000001B680000-0x000000001B706000-memory.dmp

memory/1668-2663-0x000000001B710000-0x000000001B71A000-memory.dmp

memory/1668-2666-0x000000001D940000-0x000000001D9DA000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

MD5 5c638e156b530f5857e0fb871a7b6a8c
SHA1 6053d2231b0564a8cec1629fbd42f50b067e90fb
SHA256 60a99cb7841fa2a7698a0c331f425d390c6dce0f9458be72b0853368b85ebdfd
SHA512 b395dfe67409169d19516183be8941b7d12715c9d02329ca753874e77caa37dbbc257bc643b6cba4efb6b138ca3ff65a2d565f07e6aaa26b9dc0065885864ea0

C:\Users\Admin\AppData\Local\Temp\s0h0nw1f.tay\Browsers\Firefox\Bookmarks.txt

MD5 2e9d094dda5cdc3ce6519f75943a4ff4
SHA1 5d989b4ac8b699781681fe75ed9ef98191a5096c
SHA256 c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142
SHA512 d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 6cf293cb4d80be23433eecf74ddb5503
SHA1 24fe4752df102c2ef492954d6b046cb5512ad408
SHA256 b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA512 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a6c9d692ed2826ecb12c09356e69cc09
SHA1 def728a6138cf083d8a7c61337f3c9dade41a37f
SHA256 a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b
SHA512 2f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3

memory/3044-2740-0x00007FFB93260000-0x00007FFB93D21000-memory.dmp

memory/3044-2742-0x00000149BEE60000-0x00000149BEE70000-memory.dmp

memory/3044-2743-0x00000149BEE60000-0x00000149BEE70000-memory.dmp

memory/3044-2741-0x00000149BEE60000-0x00000149BEE70000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\c5gi5eut.vuh.exe

MD5 16921e8322ef5e648bd1daf03a2f81c1
SHA1 817deea9e8815293fb0f501069629fbb27ed3101
SHA256 0b141d4e4ae5705612645f8b7cbc418afaad8dfd6f2c97211fc584e16566b7d5
SHA512 30320755421e8447e4ebe813a67c9688e0894f8b5e00b20425824a82b38280a26781464c2eb970ff3cfbb4d816f6e13eadd6b33b1f3c03a416a8bf8611171b74

memory/2928-2748-0x00007FFB93260000-0x00007FFB93D21000-memory.dmp

memory/2928-2747-0x0000000000D30000-0x0000000000D46000-memory.dmp

memory/3044-2749-0x00007FFB93260000-0x00007FFB93D21000-memory.dmp

memory/2928-2750-0x000000001BAC0000-0x000000001BAD0000-memory.dmp

memory/1672-2752-0x0000013D6E520000-0x0000013D6E530000-memory.dmp

memory/1672-2753-0x0000013D6E520000-0x0000013D6E530000-memory.dmp

memory/1672-2751-0x00007FFB93260000-0x00007FFB93D21000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 446dd1cf97eaba21cf14d03aebc79f27
SHA1 36e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256 a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512 a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

memory/1672-2764-0x0000013D6E520000-0x0000013D6E530000-memory.dmp

memory/1672-2766-0x00007FFB93260000-0x00007FFB93D21000-memory.dmp

memory/2392-2767-0x00007FFB93260000-0x00007FFB93D21000-memory.dmp

memory/2392-2768-0x0000024776BF0000-0x0000024776C00000-memory.dmp

memory/2392-2769-0x0000024776BF0000-0x0000024776C00000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 96ff1ee586a153b4e7ce8661cabc0442
SHA1 140d4ff1840cb40601489f3826954386af612136
SHA256 0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8
SHA512 3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

memory/2392-2780-0x0000024776BF0000-0x0000024776C00000-memory.dmp

memory/2392-2782-0x00007FFB93260000-0x00007FFB93D21000-memory.dmp

memory/4184-2794-0x000002C6FE250000-0x000002C6FE260000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 22310ad6749d8cc38284aa616efcd100
SHA1 440ef4a0a53bfa7c83fe84326a1dff4326dcb515
SHA256 55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf
SHA512 2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

memory/4184-2789-0x000002C6FE250000-0x000002C6FE260000-memory.dmp

memory/4184-2797-0x000002C6FE250000-0x000002C6FE260000-memory.dmp

memory/2928-2796-0x00007FFB93260000-0x00007FFB93D21000-memory.dmp

memory/4184-2788-0x00007FFB93260000-0x00007FFB93D21000-memory.dmp

memory/4184-2799-0x00007FFB93260000-0x00007FFB93D21000-memory.dmp

memory/3852-2800-0x00007FFB93260000-0x00007FFB93D21000-memory.dmp

memory/3852-2810-0x0000021480520000-0x0000021480530000-memory.dmp

memory/3852-2813-0x0000021480520000-0x0000021480530000-memory.dmp

memory/3852-2814-0x0000021480520000-0x0000021480530000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 dd1d0b083fedf44b482a028fb70b96e8
SHA1 dc9c027937c9f6d52268a1504cbae42a39c8d36a
SHA256 cab7944d29e0501dc0db904ac460ca7a87700e0ec7eb62298b7b97cbf40c424c
SHA512 96bec38bfda176292ae65dcf735103e7888baa212038737c1d1e215fcb76e4c0355e4a827a1934303e7aecae91012fa412f13e38f382b732758bae985cc67973

memory/3852-2816-0x00007FFB93260000-0x00007FFB93D21000-memory.dmp

memory/3852-2811-0x0000021480520000-0x0000021480530000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 b86dccc807a75965c64904eaa94cae6e
SHA1 f14ba902967236bee2d420bf79a22547ac521b75
SHA256 ae5041c98707387c3a0654a16ad204b7292667cde7ba72389762ce3140c2aa87
SHA512 97a02b717429a12ba522fc8e2252a31b981c9dbace70f28dc1554fcf35a69ba6adb755e94d24dcb82f09361b6422217e8beaedd7fd725aa7becfea20dd0dedc3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

MD5 a9851aa4c3c8af2d1bd8834201b2ba51
SHA1 fa95986f7ebfac4aab3b261d3ed0a21b142e91fc
SHA256 e708be5e34097c8b4b6ecb50ead7705843d0dc4b0779b95ef57073d80f36c191
SHA512 41a1b4d650ff55b164f3db02c8440f044c4ec31d8ddbbbf56195d4e27473c6b1379dfad3581e16429650e2364791f5c19aae723efc11986bb986ef262538b818

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

MD5 df5c1e09354f11635f9cebb5e08ec873
SHA1 77d3bb31b085f01893b5f34a086060c0e5f2cf5e
SHA256 8717a70898a66ec2ac434914b44fac69060e2c353c5c7c9c91fd45742a31a37b
SHA512 cd9ca60a4c9835a56a09b834c48751b8636341334dd0b7758891a10d4157832ae22bd38ecac0c367b9374616330b5db35970da9cb82e7b03f19594e5faf2197e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

MD5 336f0e9fbd4ccd4898defadf192ba9a4
SHA1 34dc4e673735b0a5e3b7399f247ec72b1b31e6df
SHA256 03ad092950ad8daa5106b5c89909446b454e759ee3a3f55e19af2228011f82a7
SHA512 3675290ade8a0e55f91ca2850256d0840150f729284a3b9c458bc5d7fb91ba52cd9e5f941026658007ae1db6928432454168f2efd4de976919f222d0b889407c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 ec51df7d801c22a58af4590aad599771
SHA1 dd530104baa0f6e3aea50118614e38c5cc710a0a
SHA256 c88ba9d7a88ebdbcd240130af37f28b0517a53ead1b0918b3fac06dba0fc56de
SHA512 1193f914894c46676ead8d171a8a2ac3967c0e9ba421292e2f881b3432d3552646ee926595767854cbbfe67653171127f737c03fbcee30de0471d2e3ed26da42

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

MD5 5fd390c7b5c0c28679ad363ee21ea3b4
SHA1 a4e9b01f3f4878fb8cdb48a849c58bdc22814b61
SHA256 daabaa20d4587ba9b55288d938db9201a845e42e80752936cf6846cac5d8b83b
SHA512 4c081c473582e5c2c8287ada5386cb2fe4c3c20940e7805319cf80ab5091b28d532be515fd8047ebf68a2f1f5dcfb71bbb6ab6c57ca021abd30efe0282a02c03

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

MD5 0e39f56e0acdeff62de829559c74a1f2
SHA1 541eb3ac897807f24bdf87663c00a9fc0e5fba39
SHA256 567f4544a74290967b7b4d7a8eba4aa3881959e388e20e2d4fbba90661d7b1cc
SHA512 12521f3b9135e16de45ba4e55d4318bc65dbb1bb2c13c8e183897321ae20a5e3695a0c62b86ea3191b8613a95e0aec6276308715b72f88af25f9b4779ddceb2c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

MD5 fa1af62bdaf3c63591454d2631d5dd6d
SHA1 14fc1fc51a9b7ccab8f04c45d84442ed02eb9466
SHA256 00dd3c8077c2cca17ea9b94804490326ae6f43e6070d06b1516dfd5c4736d94d
SHA512 2c3184f563b9a9bff088114f0547f204ee1e0b864115366c86506215f42d7dbf161bc2534ccaee783e62cc01105edffc5f5dabf229da5ebd839c96af1d45de77

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

MD5 9320db14fd89de7eb913b47f8de30f4c
SHA1 e2ac61bac4f9266d2af10744f5ba5438f29297a7
SHA256 7f27f1625033ae40a7bcadc0de11a60c8897b5a50224e97822fbacf9e4e1c949
SHA512 35f5bb293143cfa5b9e16b87c5a7aec6e66d972b3c6f2cf5ce38743ba0bb0f794e202480f61dd7ccd000245cc84ad3b06caf1415acd81c0b9abfa396424d1e4a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

MD5 daacdf887c76923c2f0f9ee3f513e621
SHA1 79249780c4af3e712c9bc7dc449dfeb3d35a8959
SHA256 d8b1ba5a37c8e3d4a88bd2d46612edea89c14e3001e410363641d503f4225125
SHA512 67b04e353908658cafb147ca7a13dd5a9cc05b730c208236370a7c59be071703f54335ec85dc77cb814c282130f2d93e2b3b3b6e545b0156259004000fd18010

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

MD5 0fffe48679f9908997346e8a4ff50221
SHA1 01d8e918503f5eb867687dc51871a29bf1599814
SHA256 e14dab3ac0f55ac2a569bb5644b40f54b505b6a8ce7ec730c017594923ab25df
SHA512 6a6d7513caa2fee710a777dfd1b96b28bd998da7d52d42a97c1bb6f1228178461bb924176650cc318d68e72d20d16fecc0dc576a5f88f79fa5906fc0d2b16443

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

MD5 9abe7fcbaa64544a2ee6086a53218714
SHA1 87017b28959188159a404898c1019960a2092dba
SHA256 d7ee50ea60c2a8695705837ec10c96fd68fb15c246dc41248e93499faf8e90f9
SHA512 3abe6b697b594465db056fed78ee5977d932967c97594c1d60f5b07c7979615bc93484a1596edfaf3dde96cf28d2d999205fab78460634df603e0dfcbd85280a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

MD5 b495a5de93ca98a92b976f974b887df1
SHA1 008ebe253eabe65d036207b2324ac0422c194d9f
SHA256 1b6d8927748a0064d82646e28a2c9e61be526cc697f8e35abddae34ed6a236de
SHA512 63ad121ffc03e039725d844e9f72d28723642be65ac8b335a57a07948a4372ec6429e5d35953d0d3ec00afe2e03103b28d87414dba4e7ae3615844b784bc0ffe

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

MD5 740bc24cf78bf27a52115eae505293e1
SHA1 662405422fc249db955dde8beae1648e9a9cbb84
SHA256 6866df7ff2ff51d584cbc7d6b3b2c327a1728c232fcacb51beb7950559e1663e
SHA512 ae7775dfcdde645fc7918c49f0c691ada8fb1328b3ea889b1ecd5f250824e7bb6452ace4e153d6e91acf40b23be156ccef9f1f91aacbc2029f2d0b66bc3f4ab2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

MD5 e8ef13e68ccc4a7fc72a2d06bd7dee20
SHA1 a36275dc8f4716979c374c45ba6873db0715826e
SHA256 af1d5ef6fbf6006372906278ae6fba650dacff5bd93862ce6fdcb57a3ff29d04
SHA512 33968a4323eb31ae21dca66e4b209f8acb44895de1e014758df74a1a6b9c6d55727a6c368658d2981cf0cdc9a6f4b917bbee09ce200f0a93482ba219d55794e1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 98fe4cd0e7cc6d4bc420fdb07e739c73
SHA1 6ff2a75ed3a29bcd48d5f08c60dfd57beb160288
SHA256 8329dd14450f3d55e0b8648efd5440319c90f5c79d62e1565f3db1189499ad20
SHA512 673c65f15a48a7b3a7b260389066e0232b7a20a967e905951f32d9088e8051e0da4e4d80b5a28a8db525bb1bb5aac1812615fae4a1fc60b7373fe43b14f02a5f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13357595663787858

MD5 7adaacdb4db183f7ed1af5a962117c0e
SHA1 4faec01ec7033d012de3e703dbbecfd9358131b3
SHA256 e16219cc5e11819ecec8e8b65d55aabd3eb59c0254827bf0faa43b8a1a7f35a1
SHA512 28284f86eea05e3d2d5168e5ef31cb1b36444a1231f2eb3cbf4c3640a4b86794a3133eb1f966a1b19e795b94da891b03933a4bf831a3bb161fd564f369242028

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

MD5 e14c81d9fbf7964cadaa048d18fca956
SHA1 44eb93294046e6c7dff4109613922be3d243a15d
SHA256 b615e36670087d7e1f27cc43dc762bd98984322258b4eda255631fe48a0b5624
SHA512 3567c9a970ad186daa486a7870371eebd7c694aade617c1c496b9525417b66611076e78523d20af3015f315fb5a9b59608bfa795a32e5e45d1994eee1c4e8d3c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

MD5 5c35a687cea4dd7a71821924d55b81a8
SHA1 a1f9c8bb89a7580b1f447a76878997b05eee57ed
SHA256 e4eaafa4e4fae130ab0e44bd88a15d9162cc5c5ec9ae3847adc95a52f5e3c890
SHA512 eb4edae4c27ba353a890f7043efd60b3ac2705ec844eb643c8da13cabc47381a05431190111bf6a5e4b8823459504e096d83798816c0907164c221de570cd044

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

MD5 838a7b32aefb618130392bc7d006aa2e
SHA1 5159e0f18c9e68f0e75e2239875aa994847b8290
SHA256 ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA512 9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 ef5c71264834433b9d4437cef9ed9f18
SHA1 cce9a539cef9fd112e031d822616cccc2a515e95
SHA256 096d3ab185f877a3678e3b6f0e15ce9fa930c452d1f8ba88d3f50a7651b3d75d
SHA512 ff9492ae07743ebb63afe107d6d679ec303f61fa43cadd6e9482bbc241e63d1239227573b82848fbdbe54d4d2754ec44b01d4e6d48afbad5e7e1a2f857262b53

memory/3832-2899-0x00007FFB93260000-0x00007FFB93D21000-memory.dmp

memory/3832-2901-0x00007FFB93260000-0x00007FFB93D21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpFF48.tmp.dat

MD5 8e4c1ac34775415a136fb412654c597a
SHA1 de8f3ecf1d60e48946180501f08b1e62907e8bd1
SHA256 a84828add570b3d8177ff82cc2d1ca3af050cdb886a13a3f736bdce41c3ba851
SHA512 a7227bd5ce1326192255392fb22cbafac375dd7ddc9dd841a65f63b1ec6b5106586cec20348d5627e6b275ae525261ba2c7907f15514eb80454896375274ca93

C:\Users\Admin\AppData\Local\Temp\tmpFF6A.tmp.dat

MD5 73bd1e15afb04648c24593e8ba13e983
SHA1 4dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91
SHA256 aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b
SHA512 6eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7

C:\Users\Admin\AppData\Local\Temp\tmpFF47.tmp.dat

MD5 e4447c5d7dbd22cbb5ed63f80ab48c37
SHA1 c9284b15554585a6a09c5c4246e3cdf8dabff8c1
SHA256 54708581ea16d040c4d6ba578287b774cce6446210f341be58c5f3de2bea91e3
SHA512 6ac5a237f732ee258e9d8ca4d146b595f8a5a045d1b5402c5a29c9d83ef73bd9aaab78597fee6cf7af5263ba70fdc66f7d6eb08d8567deed8ca8119374a53eac

C:\Users\Admin\AppData\Local\Temp\tmpFF9E.tmp.dat

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

memory/1108-2998-0x00007FFB93260000-0x00007FFB93D21000-memory.dmp

memory/1108-2999-0x0000025FC3360000-0x0000025FC3370000-memory.dmp

memory/5052-3001-0x0000000000E40000-0x0000000000E84000-memory.dmp

memory/1108-3003-0x00007FFB93260000-0x00007FFB93D21000-memory.dmp

memory/5052-3002-0x00007FFB93260000-0x00007FFB93D21000-memory.dmp

memory/4780-3005-0x00007FFB93260000-0x00007FFB93D21000-memory.dmp

memory/3220-3015-0x00007FFB93260000-0x00007FFB93D21000-memory.dmp

C:\Users\Admin\Videos\xdwdDaVinci Resolve.exe

MD5 6a469d32e18250d9ecbfbc8a721ee10b
SHA1 e509de6ccef7885d2deb61fd485b48b06688bbaa
SHA256 93177512e6ed3156b4f8fe5c840c8246d5199ecd2d68591fd4ff2b2e66494731
SHA512 fa06a8ae99392c51a0479574a42c703c3bfcc2a37e13024cf4559e6603c26d0dc4af8244028cb31ff4deb910bb9f0dc9cf8d2bb76a5de1472e49cf184724bac5