Analysis Overview
SHA256
64e4ba2eff7e8abd6c738c4360079a3ced0a6d22e8935c2f8216d69b178075d3
Threat Level: Known bad
The file CrackLauncher.exe was found to be: Known bad.
Malicious Activity Summary
xmrig
DcRat
UAC bypass
Modifies WinLogon for persistence
Process spawned unexpected child process
XMRig Miner payload
DCRat payload
Command and Scripting Interpreter: PowerShell
Stops running service(s)
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Power Settings
Checks whether UAC is enabled
Adds Run key to start application
Looks up external IP address via web service
Drops file in Windows directory
Launches sc.exe
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
System policy modification
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-07-15 19:26
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-15 19:26
Reported
2024-07-15 19:29
Platform
win7-20240708-en
Max time kernel
49s
Max time network
139s
Command Line
Signatures
DcRat
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\", \"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\CrackLauncher.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\", \"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\conhost.exe\", \"C:\\Users\\Admin\\Desktop\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\OSPPSVC.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Google\\Update\\Offline\\cmd.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\conhost.exe\", \"C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.Transactions.Bridge\\3.0.0.0__b03f5f7f11d50a3a\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\CrackLauncher.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\fr\\conhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\AtomicHunter.exe\", \"C:\\Program Files\\Internet Explorer\\ja-JP\\lsass.exe\", \"C:\\Users\\Admin\\wininit.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\reviewNet.exe\", \"C:\\Users\\All Users\\Application Data\\cmd.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\", \"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\", \"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\conhost.exe\", \"C:\\Users\\Admin\\Desktop\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\OSPPSVC.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Google\\Update\\Offline\\cmd.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\conhost.exe\", \"C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.Transactions.Bridge\\3.0.0.0__b03f5f7f11d50a3a\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\CrackLauncher.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\fr\\conhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\AtomicHunter.exe\", \"C:\\Program Files\\Internet Explorer\\ja-JP\\lsass.exe\", \"C:\\Users\\Admin\\wininit.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\reviewNet.exe\", \"C:\\Users\\All Users\\Application Data\\cmd.exe\", \"C:\\ComsurrogateServerdll\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Users\\Public\\Downloads\\reviewNet.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\", \"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\conhost.exe\", \"C:\\Users\\Admin\\Desktop\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\OSPPSVC.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\", \"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\", \"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\reviewNet.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\", \"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\conhost.exe\", \"C:\\Users\\Admin\\Desktop\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\OSPPSVC.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Google\\Update\\Offline\\cmd.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\conhost.exe\", \"C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.Transactions.Bridge\\3.0.0.0__b03f5f7f11d50a3a\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\CrackLauncher.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\fr\\conhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\AtomicHunter.exe\", \"C:\\Program Files\\Internet Explorer\\ja-JP\\lsass.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\", \"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\", \"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\CrackLauncher.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\", \"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\", \"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\conhost.exe\", \"C:\\Users\\Admin\\Desktop\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\OSPPSVC.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Google\\Update\\Offline\\cmd.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\conhost.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\", \"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\conhost.exe\", \"C:\\Users\\Admin\\Desktop\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\OSPPSVC.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Google\\Update\\Offline\\cmd.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\conhost.exe\", \"C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.Transactions.Bridge\\3.0.0.0__b03f5f7f11d50a3a\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\CrackLauncher.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\fr\\conhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\AtomicHunter.exe\", \"C:\\Program Files\\Internet Explorer\\ja-JP\\lsass.exe\", \"C:\\Users\\Admin\\wininit.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\reviewNet.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\", \"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\conhost.exe\", \"C:\\Users\\Admin\\Desktop\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\OSPPSVC.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Google\\Update\\Offline\\cmd.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\conhost.exe\", \"C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.Transactions.Bridge\\3.0.0.0__b03f5f7f11d50a3a\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\CrackLauncher.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\fr\\conhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\AtomicHunter.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\", \"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\", \"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\reviewNet.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\", \"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\conhost.exe\", \"C:\\Users\\Admin\\Desktop\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\OSPPSVC.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\", \"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\conhost.exe\", \"C:\\Users\\Admin\\Desktop\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\OSPPSVC.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Google\\Update\\Offline\\cmd.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\conhost.exe\", \"C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.Transactions.Bridge\\3.0.0.0__b03f5f7f11d50a3a\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\CrackLauncher.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\fr\\conhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\AtomicHunter.exe\", \"C:\\Program Files\\Internet Explorer\\ja-JP\\lsass.exe\", \"C:\\Users\\Admin\\wininit.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\", \"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\cmd.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\", \"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\conhost.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\", \"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\conhost.exe\", \"C:\\Users\\Admin\\Desktop\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\OSPPSVC.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\CrackLauncher.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\", \"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\conhost.exe\", \"C:\\Users\\Admin\\Desktop\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\OSPPSVC.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Google\\Update\\Offline\\cmd.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\conhost.exe\", \"C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.Transactions.Bridge\\3.0.0.0__b03f5f7f11d50a3a\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\CrackLauncher.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\", \"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\conhost.exe\", \"C:\\Users\\Admin\\Desktop\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\OSPPSVC.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Google\\Update\\Offline\\cmd.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\conhost.exe\", \"C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.Transactions.Bridge\\3.0.0.0__b03f5f7f11d50a3a\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\CrackLauncher.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\fr\\conhost.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\", \"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\cmd.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\", \"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\conhost.exe\", \"C:\\Users\\Admin\\Desktop\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\OSPPSVC.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Google\\Update\\Offline\\cmd.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\", \"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\conhost.exe\", \"C:\\Users\\Admin\\Desktop\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\OSPPSVC.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Google\\Update\\Offline\\cmd.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\conhost.exe\", \"C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.Transactions.Bridge\\3.0.0.0__b03f5f7f11d50a3a\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\CrackLauncher.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\fr\\conhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\AtomicHunter.exe\", \"C:\\Program Files\\Internet Explorer\\ja-JP\\lsass.exe\", \"C:\\Users\\Admin\\wininit.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\reviewNet.exe\", \"C:\\Users\\All Users\\Application Data\\cmd.exe\", \"C:\\ComsurrogateServerdll\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Users\\Public\\Downloads\\reviewNet.exe\", \"C:\\Windows\\SoftwareDistribution\\DataStore\\smss.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\", \"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\conhost.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\", \"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\conhost.exe\", \"C:\\Users\\Admin\\Desktop\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\OSPPSVC.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Google\\Update\\Offline\\cmd.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\conhost.exe\", \"C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.Transactions.Bridge\\3.0.0.0__b03f5f7f11d50a3a\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\CrackLauncher.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\fr\\conhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\AtomicHunter.exe\", \"C:\\Program Files\\Internet Explorer\\ja-JP\\lsass.exe\", \"C:\\Users\\Admin\\wininit.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\reviewNet.exe\", \"C:\\Users\\All Users\\Application Data\\cmd.exe\", \"C:\\ComsurrogateServerdll\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\", \"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\", \"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\conhost.exe\", \"C:\\Users\\Admin\\Desktop\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\OSPPSVC.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Google\\Update\\Offline\\cmd.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\conhost.exe\", \"C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.Transactions.Bridge\\3.0.0.0__b03f5f7f11d50a3a\\CrackLauncher.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\", \"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\conhost.exe\", \"C:\\Users\\Admin\\Desktop\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\OSPPSVC.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Google\\Update\\Offline\\cmd.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\conhost.exe\", \"C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.Transactions.Bridge\\3.0.0.0__b03f5f7f11d50a3a\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\CrackLauncher.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\fr\\conhost.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\AtomicHunter.exe\", \"C:\\Program Files\\Internet Explorer\\ja-JP\\lsass.exe\", \"C:\\Users\\Admin\\wininit.exe\", \"C:\\Program Files (x86)\\MSBuild\\Microsoft\\reviewNet.exe\", \"C:\\Users\\All Users\\Application Data\\cmd.exe\", \"C:\\ComsurrogateServerdll\\cmd.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\", \"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\", \"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\conhost.exe\", \"C:\\Users\\Admin\\Desktop\\conhost.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\", \"C:\\Windows\\AppPatch\\cmd.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\", \"C:\\Windows\\Fonts\\CrackLauncher.exe\", \"C:\\Users\\Public\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\ComsurrogateServerdll\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\", \"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\", \"C:\\Users\\Public\\Documents\\My Pictures\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\cmd.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\CrackLauncher.exe\", \"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\conhost.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\reviewNet.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\CrackLauncher.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\conhost.exe\", \"C:\\Users\\Admin\\Desktop\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\OSPPSVC.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\", \"C:\\Users\\Public\\Desktop\\conhost.exe\", \"C:\\Program Files\\Uninstall Information\\cmd.exe\", \"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\wscript.exe\", \"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\", \"C:\\ComsurrogateServerdll\\wscript.exe\", \"C:\\Users\\Default User\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\", \"C:\\Users\\Admin\\Videos\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
xmrig
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Stops running service(s)
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files\\Uninstall Information\\cmd.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\CrackLauncher = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\CrackLauncher.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\CrackLauncher = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\CrackLauncher.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Users\\Default User\\conhost.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CrackLauncher = "\"C:\\ComsurrogateServerdll\\CrackLauncher.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\conhost.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reviewNet = "\"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\reviewNet.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\CrackLauncher = "\"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Users\\Admin\\Desktop\\conhost.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\reviewNet = "\"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\ComsurrogateServerdll\\wscript.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\reviewNet = "\"C:\\Program Files (x86)\\MSBuild\\Microsoft\\reviewNet.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reviewNet = "\"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\OSPPSVC.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\AtomicHunter = "\"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\AtomicHunter.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reviewNet = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\reviewNet.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reviewNet = "\"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\CrackLauncher = "\"C:\\Program Files (x86)\\Windows NT\\TableTextService\\it-IT\\CrackLauncher.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reviewNet = "\"C:\\Users\\Public\\Downloads\\reviewNet.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Users\\Public\\Desktop\\conhost.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\CrackLauncher = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reviewNet = "\"C:\\Users\\Public\\reviewNet.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\conhost.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Users\\Public\\Desktop\\conhost.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CrackLauncher = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Resource\\Linguistics\\CrackLauncher.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\ComsurrogateServerdll\\cmd.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\MSOCache\\All Users\\{90140000-002C-0409-0000-0000000FF1CE}-C\\Proof.fr\\audiodg.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\ComsurrogateServerdll\\wscript.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\cmd.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Admin\\wininit.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\ComsurrogateServerdll\\conhost.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\wscript.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\ComsurrogateServerdll\\wscript.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\ComsurrogateServerdll\\cmd.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\reviewNet = "\"C:\\Users\\Public\\Downloads\\reviewNet.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CrackLauncher = "\"C:\\Users\\Admin\\Pictures\\CrackLauncher.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CrackLauncher = "\"C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.Transactions.Bridge\\3.0.0.0__b03f5f7f11d50a3a\\CrackLauncher.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\CrackLauncher = "\"C:\\ComsurrogateServerdll\\CrackLauncher.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\conhost.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\CrackLauncher = "\"C:\\ComsurrogateServerdll\\CrackLauncher.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\wscript.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CrackLauncher = "\"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files\\Uninstall Information\\cmd.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Users\\Default User\\conhost.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Windows\\AppPatch\\cmd.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\MSOCache\\All Users\\{90140000-0115-0409-0000-0000000FF1CE}-C\\1033\\conhost.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Users\\Admin\\Desktop\\conhost.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\ComsurrogateServerdll\\conhost.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Users\\Public\\Documents\\My Pictures\\cmd.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\conhost.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\reviewNet = "\"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\reviewNet.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CrackLauncher = "\"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\reviewNet = "\"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\reviewNet.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\cmd.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\reviewNet = "\"C:\\Program Files (x86)\\Internet Explorer\\de-DE\\reviewNet.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\ComsurrogateServerdll\\wscript.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\reviewNet = "\"C:\\Users\\Public\\reviewNet.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\MSOCache\\All Users\\{90140000-0044-0409-0000-0000000FF1CE}-C\\OSPPSVC.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\CrackLauncher = "\"C:\\Recovery\\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\\CrackLauncher.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Program Files\\Internet Explorer\\ja-JP\\lsass.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Users\\Admin\\Videos\\cmd.exe\"" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
Power Settings
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\System32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\System32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\System32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\System32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\System32\powercfg.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Microsoft.NET\RedistList\AtomicHunter.exe | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft.NET\RedistList\reviewNet.exe | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| File created | C:\Program Files\Reference Assemblies\Microsoft\088424020bedd6 | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| File created | C:\Program Files (x86)\MSBuild\Microsoft\07b979bd10a423 | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| File created | C:\Program Files (x86)\Windows NT\TableTextService\it-IT\CrackLauncher.exe | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft.NET\RedistList\07b979bd10a423 | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft.NET\RedistList\conhost.exe | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft.NET\RedistList\088424020bedd6 | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft.NET\RedistList\7fdd7c15684dda | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| File created | C:\Program Files\Uninstall Information\cmd.exe | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| File created | C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\conhost.exe | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| File created | C:\Program Files (x86)\Internet Explorer\de-DE\reviewNet.exe | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| File opened for modification | C:\Program Files\Uninstall Information\cmd.exe | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| File created | C:\Program Files\Uninstall Information\ebf1f9fa8afd6d | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\7a8b3f7b9ee9a7 | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| File created | C:\Program Files (x86)\Google\Update\Offline\ebf1f9fa8afd6d | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\CrackLauncher.exe | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| File created | C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\088424020bedd6 | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| File created | C:\Program Files\Internet Explorer\ja-JP\lsass.exe | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| File created | C:\Program Files\Internet Explorer\ja-JP\6203df4a6bafc7 | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| File created | C:\Program Files (x86)\Windows NT\TableTextService\it-IT\7a8b3f7b9ee9a7 | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| File created | C:\Program Files (x86)\Internet Explorer\de-DE\07b979bd10a423 | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| File created | C:\Program Files (x86)\Google\Update\Offline\cmd.exe | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| File created | C:\Program Files (x86)\MSBuild\Microsoft\reviewNet.exe | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\7a8b3f7b9ee9a7 | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| File created | C:\Program Files\Reference Assemblies\Microsoft\conhost.exe | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\CrackLauncher.exe | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\CrackLauncher.exe | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\AppPatch\cmd.exe | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| File created | C:\Windows\Fonts\7a8b3f7b9ee9a7 | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| File created | C:\Windows\DigitalLocker\es-ES\cmd.exe | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| File created | C:\Windows\Boot\Fonts\CrackLauncher.exe | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| File created | C:\Windows\Fonts\CrackLauncher.exe | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| File created | C:\Windows\assembly\GAC_MSIL\Microsoft.Transactions.Bridge\3.0.0.0__b03f5f7f11d50a3a\CrackLauncher.exe | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| File created | C:\Windows\assembly\GAC_MSIL\Microsoft.Transactions.Bridge\3.0.0.0__b03f5f7f11d50a3a\7a8b3f7b9ee9a7 | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| File created | C:\Windows\SoftwareDistribution\DataStore\smss.exe | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| File created | C:\Windows\SoftwareDistribution\DataStore\69ddcba757bf72 | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| File created | C:\Windows\DigitalLocker\es-ES\ebf1f9fa8afd6d | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| File created | C:\Windows\AppPatch\ebf1f9fa8afd6d | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\ComsurrogateServerdll\reviewNet.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1406878062102850843-1804211736-1324494858-1767034057-1667410540258605708-2105403979"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-744146261742772594497901711-1763802217-1597581060-17897338994804635431460189342"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-857903594135187414-1080223752-1408395248685007522-1248151200-18162985291718858552"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\cmd.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\CrackLauncher.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Desktop\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "reviewNetr" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\reviewNet.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "reviewNet" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\reviewNet.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Public\Desktop\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "CrackLauncher" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\CrackLauncher.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\conhost.exe'" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "reviewNetr" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\reviewNet.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\conhost.exe'" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\CrackLauncher.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\wscript.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "reviewNetr" /sc MINUTE /mo 5 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\reviewNet.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\wscript.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "reviewNet" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\reviewNet.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\wscript.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 12 /tr "'C:\ComsurrogateServerdll\wscript.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "reviewNetr" /sc MINUTE /mo 6 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\reviewNet.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\ComsurrogateServerdll\wscript.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\conhost.exe'" /f
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\cmd.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 10 /tr "'C:\ComsurrogateServerdll\wscript.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 10 /tr "'C:\ComsurrogateServerdll\CrackLauncher.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "CrackLauncher" /sc ONLOGON /tr "'C:\ComsurrogateServerdll\CrackLauncher.exe'" /rl HIGHEST /f
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Windows\AppPatch\cmd.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Videos\cmd.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\audiodg.exe'" /f
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\AppPatch\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 9 /tr "'C:\ComsurrogateServerdll\CrackLauncher.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Admin\Videos\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Videos\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Windows\AppPatch\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 13 /tr "'C:\Windows\Fonts\CrackLauncher.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "reviewNetr" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\reviewNet.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "reviewNetr" /sc MINUTE /mo 7 /tr "'C:\Users\Public\reviewNet.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "reviewNet" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\reviewNet.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "CrackLauncher" /sc ONLOGON /tr "'C:\Windows\Fonts\CrackLauncher.exe'" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "reviewNet" /sc ONLOGON /tr "'C:\Users\Public\reviewNet.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "reviewNetr" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\reviewNet.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 13 /tr "'C:\Windows\Fonts\CrackLauncher.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "reviewNetr" /sc MINUTE /mo 12 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\reviewNet.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "reviewNetr" /sc MINUTE /mo 11 /tr "'C:\Users\Public\reviewNet.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 6 /tr "'C:\ComsurrogateServerdll\wscript.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "reviewNet" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\reviewNet.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\ComsurrogateServerdll\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\ComsurrogateServerdll\wscript.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "reviewNetr" /sc MINUTE /mo 6 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\reviewNet.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\ComsurrogateServerdll\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 10 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\wscript.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 13 /tr "'C:\ComsurrogateServerdll\wscript.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\wscript.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\ComsurrogateServerdll\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\wscript.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Pictures\CrackLauncher.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\wscript.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Documents\My Pictures\cmd.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 12 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\wscript.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "CrackLauncher" /sc ONLOGON /tr "'C:\Users\Admin\Pictures\CrackLauncher.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Pictures\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\wscript.exe'" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Pictures\CrackLauncher.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Documents\My Pictures\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 5 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\CrackLauncher.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\cmd.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "CrackLauncher" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\CrackLauncher.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 14 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\wscript.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 13 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\CrackLauncher.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\wscript.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "reviewNetr" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\reviewNet.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 5 /tr "'C:\ComsurrogateServerdll\CrackLauncher.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "reviewNet" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\reviewNet.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "CrackLauncher" /sc ONLOGON /tr "'C:\ComsurrogateServerdll\CrackLauncher.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\wscript.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\conhost.exe'" /f
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oInhkeZCvT.bat"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "reviewNetr" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\reviewNet.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 8 /tr "'C:\ComsurrogateServerdll\CrackLauncher.exe'" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\CrackLauncher.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "CrackLauncher" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\CrackLauncher.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 9 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\CrackLauncher.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\it-IT\CrackLauncher.exe'" /rl HIGHEST /f
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\CrackLauncher.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "reviewNetr" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\reviewNet.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "CrackLauncher" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\CrackLauncher.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "reviewNet" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\reviewNet.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 12 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\CrackLauncher.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "reviewNetr" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\reviewNet.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 7 /tr "'C:\ComsurrogateServerdll\wscript.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "CrackLauncher" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\CrackLauncher.exe'" /rl HIGHEST /f
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Desktop\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\ComsurrogateServerdll\wscript.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\CrackLauncher.exe'" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Admin\Desktop\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 9 /tr "'C:\ComsurrogateServerdll\wscript.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\conhost.exe'" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 6 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\CrackLauncher.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Desktop\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "CrackLauncher" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\CrackLauncher.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\CrackLauncher.exe'" /f
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 5 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\CrackLauncher.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "CrackLauncher" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\CrackLauncher.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\CrackLauncher.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 9 /tr "'C:\ComsurrogateServerdll\CrackLauncher.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "CrackLauncher" /sc ONLOGON /tr "'C:\ComsurrogateServerdll\CrackLauncher.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\Update\Offline\cmd.exe'" /f
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 13 /tr "'C:\ComsurrogateServerdll\CrackLauncher.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Offline\cmd.exe'" /rl HIGHEST /f
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b93nLTpSQp.bat"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\conhost.exe'" /f
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 14 /tr "'C:\Windows\assembly\GAC_MSIL\Microsoft.Transactions.Bridge\3.0.0.0__b03f5f7f11d50a3a\CrackLauncher.exe'" /f
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\Update\Offline\cmd.exe'" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\conhost.exe'" /rl HIGHEST /f
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\CrackLauncher.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "CrackLauncher" /sc ONLOGON /tr "'C:\Windows\assembly\GAC_MSIL\Microsoft.Transactions.Bridge\3.0.0.0__b03f5f7f11d50a3a\CrackLauncher.exe'" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "CrackLauncher" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\CrackLauncher.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 7 /tr "'C:\Windows\assembly\GAC_MSIL\Microsoft.Transactions.Bridge\3.0.0.0__b03f5f7f11d50a3a\CrackLauncher.exe'" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\conhost.exe'" /f
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\CrackLauncher.exe'" /rl HIGHEST /f
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "AtomicHunterA" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\AtomicHunter.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\Internet Explorer\ja-JP\lsass.exe'" /f
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "AtomicHunter" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\AtomicHunter.exe'" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\ja-JP\lsass.exe'" /rl HIGHEST /f
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "AtomicHunterA" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\AtomicHunter.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\Internet Explorer\ja-JP\lsass.exe'" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "reviewNetr" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\reviewNet.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "reviewNet" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\reviewNet.exe'" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "reviewNetr" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\reviewNet.exe'" /rl HIGHEST /f
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Application Data\cmd.exe'" /f
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\ComsurrogateServerdll\cmd.exe'" /f
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 8 /tr "'C:\ComsurrogateServerdll\CrackLauncher.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\ComsurrogateServerdll\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Application Data\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "CrackLauncher" /sc ONLOGON /tr "'C:\ComsurrogateServerdll\CrackLauncher.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\ComsurrogateServerdll\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "CrackLauncherC" /sc MINUTE /mo 13 /tr "'C:\ComsurrogateServerdll\CrackLauncher.exe'" /rl HIGHEST /f
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\SoftwareDistribution\DataStore\smss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "reviewNetr" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Downloads\reviewNet.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "reviewNet" /sc ONLOGON /tr "'C:\Users\Public\Downloads\reviewNet.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\DataStore\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "reviewNetr" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Downloads\reviewNet.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Windows\SoftwareDistribution\DataStore\smss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Windows\DigitalLocker\es-ES\cmd.exe'" /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1485325698-5948290031859998328-1528393381626392092216908731-1696298834-974299828"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\es-ES\cmd.exe'" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Kn8TuT8p8X.bat"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Endr4g1tEq.bat"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\reviewNet.exe
"C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\reviewNet.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Windows\DigitalLocker\es-ES\cmd.exe'" /rl HIGHEST /f
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "210273578227321491815121121-1224688468-1309610432-1786795605-1468327361240319924"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\ComsurrogateServerdll\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\ComsurrogateServerdll\conhost.exe'" /rl HIGHEST /f
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1807382920319628346176751268-23452078-4171568191169206738885765475-1877224400"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\ComsurrogateServerdll\conhost.exe'" /rl HIGHEST /f
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uyZu8tDpxN.bat"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "576896792-790028612187096329-24148455-1732920522-20017761521427169960-966716183"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-13108549171177278526-1614146342-312136801-6869655501581427390-1581274297-2014499822"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\Desktop\conhost.exe
"C:\Users\Admin\Desktop\conhost.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\ComsurrogateServerdll\CrackLauncher.exe
"C:\ComsurrogateServerdll\CrackLauncher.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Public\reviewNet.exe
"C:\Users\Public\reviewNet.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-7518683001308945446-826185816-45333792-1694623851-4508581581142091451926263874"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-409630333-650634532549022811261809057742361316-145273371621411397371652132368"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "349818093-283326426-3850142711893723763-1708184793100661003615293600421155543181"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1055882789943657146638058252-312747958-561051315-15656256557227724071722812504"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1178859056-178316166516845426201455751030-13970644061895443450-5705011091540731686"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "440732488381483323-1247878223-14339697954365195111478573526-1484061845806120125"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1110438001643485439-5604723781708392965-2130052399-157382947-1982729842-1620501525"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1232106113-813038452993135205-792506833-1913922661-1103440940-1564641914-568173707"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1444267163-487040664-8154520441034784716-174599101720775825881993202977-1778190403"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-857862568-21368953955582549-172706941-1700531971402775487908720203441274968"
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\eqrnvskqnorc.xml"
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "396604439-645672372-759287508-9828758832110148470-1675912147-1457241955333429844"
C:\Windows\System32\choice.exe
choice /C Y /N /D Y /T 3
C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\eqrnvskqnorc.xml"
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | randomxmonero.auto.nicehash.com | udp |
| US | 34.149.22.228:443 | randomxmonero.auto.nicehash.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
| MD5 | 47459c72e16d587d72f106421f46c620 |
| SHA1 | 784809d4e9b71f9da764d43835ff5436e80424ea |
| SHA256 | 64e4ba2eff7e8abd6c738c4360079a3ced0a6d22e8935c2f8216d69b178075d3 |
| SHA512 | a78537d5bbc8569a72d388e784b16fd280ffec1cde809e56b9785cae509daec1634d0eecfe8cc0cecae5206856c143e623f8696cce3ceccc140251e490c47bf7 |
\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
| MD5 | 1612340eed578b9f695949bfbd7a625f |
| SHA1 | 6e4d20aa926063cbc15e9c65c7bfcde609219614 |
| SHA256 | 8a1df8be1833b4aa3d9d50e6b4c5e91185fcd07122baf22f650397e9494d1135 |
| SHA512 | 8835f47af32ac631f5fc51be1971ae8ff25178faeb80a0679ce45c0a7d7cb8f8bcb6953276ede02114f317e6dea42cf4f0643a00fb48e1be742a44bfd4c76b47 |
C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe
| MD5 | 19215cdffa83bf4c905f51ee487e8bec |
| SHA1 | 21c8d4aa2d99932eacef7617b007a3a8a4907ccf |
| SHA256 | 5fc3f2deada1ff0fe5a803d57f009721a2ad43e97dae76b75483ef5f3bb4c423 |
| SHA512 | 111e64c8a1640638b8f21ea1ce1b7c3b0e77bd5f6f6591a01d677ce2a7593b0655377d7c6baa3ce4726a3bafa852948db73ab899ee57837e336a86bc29998647 |
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2636-76-0x0000000000980000-0x0000000000C32000-memory.dmp
memory/660-80-0x0000000000540000-0x000000000054E000-memory.dmp
memory/2636-84-0x0000000000620000-0x0000000000630000-memory.dmp
memory/2248-85-0x0000000000950000-0x0000000000958000-memory.dmp
memory/2636-83-0x0000000000610000-0x0000000000618000-memory.dmp
memory/2248-82-0x00000000004F0000-0x000000000050C000-memory.dmp
memory/2248-81-0x0000000000250000-0x000000000025E000-memory.dmp
memory/2248-87-0x0000000000970000-0x000000000097A000-memory.dmp
memory/660-88-0x000000001A8A0000-0x000000001A8F6000-memory.dmp
memory/2248-86-0x0000000000960000-0x0000000000970000-memory.dmp
memory/1508-89-0x0000000000970000-0x000000000097C000-memory.dmp
memory/1508-91-0x0000000002230000-0x0000000002242000-memory.dmp
memory/1508-90-0x0000000002220000-0x0000000002228000-memory.dmp
memory/1508-93-0x0000000002270000-0x000000000227E000-memory.dmp
memory/1508-94-0x0000000002410000-0x000000000241C000-memory.dmp
memory/1508-95-0x0000000002420000-0x000000000242C000-memory.dmp
memory/1508-92-0x0000000002260000-0x000000000226A000-memory.dmp
C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\CrackLauncher.exe
| MD5 | 54ee180f701840090a930675dd656df2 |
| SHA1 | 7c18ea7d94f34b8a6bcedaad224d7d973b417cc4 |
| SHA256 | 71913fe34b93416cbb0f6f2807392b8387a7cce53049eec444463cd820cb580d |
| SHA512 | f9a9700c0f5e2429d0fadc238ebe19ea7b9fcaa5b7fece52073c26f35a9df456f1aa6ee14bc985b11375992ad4edda5acf65bc5848f170c4839922d185d6926c |
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
| MD5 | 8059be9929998a11f8eaeb3b956e76e8 |
| SHA1 | e531abee93ca6e45aa3c7c02fec06bd137f767c4 |
| SHA256 | c7088c0113711c9f4c61ddaad50bdaf345ec7e0e3aefa0f3639827ad06cfd565 |
| SHA512 | 6e714bd4e09ccbd93c872e900e0a36ef4b966d07eb52772407f5cb1e96eeb4f36e2cb110e7b28516f67b3d2e6c486c9cd628721c4c04e2758246accad52b4fae |
memory/5552-249-0x0000000000DC0000-0x0000000001072000-memory.dmp
memory/948-262-0x0000000000E10000-0x00000000010C2000-memory.dmp
memory/4648-265-0x00000000003C0000-0x0000000000672000-memory.dmp
memory/4572-270-0x0000000000B40000-0x0000000000DF2000-memory.dmp
memory/2792-330-0x0000000000400000-0x0000000002647000-memory.dmp
memory/1568-334-0x0000000000400000-0x0000000002647000-memory.dmp
memory/2004-333-0x0000000000400000-0x0000000002647000-memory.dmp
memory/5004-369-0x000000013F9F0000-0x00000001421F0000-memory.dmp
memory/4024-349-0x000000013F9F0000-0x00000001421F0000-memory.dmp
memory/6564-343-0x000000013F9F0000-0x00000001421F0000-memory.dmp
memory/5816-340-0x000000013F9F0000-0x00000001421F0000-memory.dmp
memory/7648-338-0x000000013F9F0000-0x00000001421F0000-memory.dmp
memory/6268-354-0x000000013F9F0000-0x00000001421F0000-memory.dmp
memory/4844-344-0x000000013F9F0000-0x00000001421F0000-memory.dmp
memory/2892-357-0x000000013F9F0000-0x00000001421F0000-memory.dmp
memory/6616-355-0x000000013F9F0000-0x00000001421F0000-memory.dmp
memory/3460-341-0x000000013F9F0000-0x00000001421F0000-memory.dmp
memory/4700-353-0x000000013F9F0000-0x00000001421F0000-memory.dmp
memory/7212-346-0x000000013F9F0000-0x00000001421F0000-memory.dmp
memory/7684-352-0x000000013F9F0000-0x00000001421F0000-memory.dmp
memory/7672-356-0x000000013F9F0000-0x00000001421F0000-memory.dmp
memory/7744-339-0x000000013F9F0000-0x00000001421F0000-memory.dmp
memory/6520-370-0x000000013F9F0000-0x00000001421F0000-memory.dmp
memory/2716-360-0x000000013F9F0000-0x00000001421F0000-memory.dmp
memory/5492-358-0x000000013F9F0000-0x00000001421F0000-memory.dmp
memory/5732-342-0x000000013F9F0000-0x00000001421F0000-memory.dmp
memory/7668-347-0x000000013F9F0000-0x00000001421F0000-memory.dmp
memory/7372-359-0x000000013F9F0000-0x00000001421F0000-memory.dmp
memory/6436-351-0x000000013F9F0000-0x00000001421F0000-memory.dmp
memory/5844-336-0x000000013F9F0000-0x00000001421F0000-memory.dmp
memory/7624-335-0x000000013F9F0000-0x00000001421F0000-memory.dmp
memory/6700-337-0x000000013F9F0000-0x00000001421F0000-memory.dmp
memory/5904-348-0x000000013F9F0000-0x00000001421F0000-memory.dmp
memory/6276-345-0x000000013F9F0000-0x00000001421F0000-memory.dmp
memory/7700-350-0x000000013F9F0000-0x00000001421F0000-memory.dmp
memory/5316-421-0x000000001B400000-0x000000001B6E2000-memory.dmp
memory/5316-422-0x0000000001E30000-0x0000000001E38000-memory.dmp
memory/5912-426-0x000000013F9F0000-0x00000001421F0000-memory.dmp
memory/1912-427-0x000000013F260000-0x0000000141A60000-memory.dmp
memory/560-433-0x00000000000B0000-0x00000000000D0000-memory.dmp
memory/1912-432-0x000000013F260000-0x0000000141A60000-memory.dmp
memory/560-435-0x0000000140000000-0x0000000140840000-memory.dmp
memory/5344-434-0x0000000140000000-0x0000000140013000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-15 19:26
Reported
2024-07-15 19:29
Platform
win10v2004-20240709-en
Max time kernel
1s
Max time network
151s
Command Line
Signatures
DcRat
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Power Settings
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\System32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\System32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\System32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\System32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\System32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\System32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\System32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\System32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\System32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\System32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\System32\powercfg.exe | N/A |
| N/A | N/A | C:\Windows\System32\powercfg.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Enumerates physical storage devices
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3844 wrote to memory of 2872 | N/A | C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe | C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe |
| PID 3844 wrote to memory of 2872 | N/A | C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe | C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe |
| PID 3844 wrote to memory of 2872 | N/A | C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe | C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe |
| PID 3844 wrote to memory of 1628 | N/A | C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe | C:\Windows\SysWOW64\WScript.exe |
| PID 3844 wrote to memory of 1628 | N/A | C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe | C:\Windows\SysWOW64\WScript.exe |
| PID 3844 wrote to memory of 1628 | N/A | C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe | C:\Windows\SysWOW64\WScript.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sihost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sihost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\sihost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\TextInputHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\TextInputHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\TextInputHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\Registry.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Windows\Sun\Java\Deployment\StartMenuExperienceHost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\Sun\Java\Deployment\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 11 /tr "'C:\Windows\Sun\Java\Deployment\StartMenuExperienceHost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\unsecapp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\addins\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\addins\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\addins\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Windows\Downloaded Program Files\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Windows\Downloaded Program Files\conhost.exe'" /rl HIGHEST /f
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Windows\System32\sc.exe
sc stop bits
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\System32\sc.exe
sc stop dosvc
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\eqrnvskqnorc.xml"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Windows\System32\choice.exe
choice /C Y /N /D Y /T 3
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7ezzJRb6cS.bat"
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\eqrnvskqnorc.xml"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\System32\choice.exe
choice /C Y /N /D Y /T 3
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
"C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
"C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\eqrnvskqnorc.xml"
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe"
C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
C:\Windows\System32\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\root\Integration\Addons\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\root\Integration\Addons\dwm.exe'" /rl HIGHEST /f
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\root\Integration\Addons\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\ComsurrogateServerdll\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\ComsurrogateServerdll\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\ComsurrogateServerdll\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "choicec" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\WindowsHolographicDevices\choice.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "choice" /sc ONLOGON /tr "'C:\Users\All Users\WindowsHolographicDevices\choice.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "choicec" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\WindowsHolographicDevices\choice.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "reviewNetr" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\reviewNet.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "reviewNet" /sc ONLOGON /tr "'C:\Users\Default User\reviewNet.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "reviewNetr" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\reviewNet.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\ComsurrogateServerdll\lsass.exe'" /f
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\ComsurrogateServerdll\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\ComsurrogateServerdll\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\ComsurrogateServerdll\explorer.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\ComsurrogateServerdll\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\ComsurrogateServerdll\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\de-DE\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Windows\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Windows\Speech_OneCore\Engines\TTS\cmd.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\Engines\TTS\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Windows\Speech_OneCore\Engines\TTS\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\ComsurrogateServerdll\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\ComsurrogateServerdll\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\ComsurrogateServerdll\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Program Files\Microsoft Office\root\Integration\Addons\dwm.exe
"C:\Program Files\Microsoft Office\root\Integration\Addons\dwm.exe"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c353151a-38fa-4048-aa9f-537661e52a61.vbs"
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9ce79f9a-828a-412d-a4a1-0ca8f3d4ab8e.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ComsurrogateServerdll\AK3g7uXXE.bat" "
C:\ComsurrogateServerdll\reviewNet.exe
"C:\ComsurrogateServerdll\reviewNet.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\schtasks.exe
C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\eqrnvskqnorc.xml"
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\System32\conhost.exe
C:\Windows\System32\conhost.exe
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\explorer.exe
C:\Windows\explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 146.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cb23268.tw1.ru | udp |
| RU | 185.114.247.170:80 | cb23268.tw1.ru | tcp |
| RU | 185.114.247.170:80 | cb23268.tw1.ru | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 170.247.114.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.59.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | randomxmonero.auto.nicehash.com | udp |
| US | 34.149.22.228:443 | randomxmonero.auto.nicehash.com | tcp |
| US | 8.8.8.8:53 | 228.22.149.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\CrackLauncher.exe
| MD5 | 47459c72e16d587d72f106421f46c620 |
| SHA1 | 784809d4e9b71f9da764d43835ff5436e80424ea |
| SHA256 | 64e4ba2eff7e8abd6c738c4360079a3ced0a6d22e8935c2f8216d69b178075d3 |
| SHA512 | a78537d5bbc8569a72d388e784b16fd280ffec1cde809e56b9785cae509daec1634d0eecfe8cc0cecae5206856c143e623f8696cce3ceccc140251e490c47bf7 |
C:\Users\Admin\AppData\Local\Temp\AtomicHunter.exe
| MD5 | 1612340eed578b9f695949bfbd7a625f |
| SHA1 | 6e4d20aa926063cbc15e9c65c7bfcde609219614 |
| SHA256 | 8a1df8be1833b4aa3d9d50e6b4c5e91185fcd07122baf22f650397e9494d1135 |
| SHA512 | 8835f47af32ac631f5fc51be1971ae8ff25178faeb80a0679ce45c0a7d7cb8f8bcb6953276ede02114f317e6dea42cf4f0643a00fb48e1be742a44bfd4c76b47 |
C:\ComsurrogateServerdll\RDd9GppQ7ML5mhN7zYUSje44cWW.vbe
| MD5 | 19215cdffa83bf4c905f51ee487e8bec |
| SHA1 | 21c8d4aa2d99932eacef7617b007a3a8a4907ccf |
| SHA256 | 5fc3f2deada1ff0fe5a803d57f009721a2ad43e97dae76b75483ef5f3bb4c423 |
| SHA512 | 111e64c8a1640638b8f21ea1ce1b7c3b0e77bd5f6f6591a01d677ce2a7593b0655377d7c6baa3ce4726a3bafa852948db73ab899ee57837e336a86bc29998647 |
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
| MD5 | 92c1a2d015abc4695f3433787660611f |
| SHA1 | c4cd2c9aa28638ca7da3b7a5af381a4e64ff6903 |
| SHA256 | 339b82ef374d4568b45f790796ce611e908ea77c298b25de961866925a590abc |
| SHA512 | f7cd3c175cc650b4ecf4ab92b56f326f0fa17b42ec8e4905973df950e58999ff892822c84dac0e8df8a95654d499a18c86ad39b74d22e87238ce8ef08c63c358 |
memory/3788-26-0x00007FF6072E0000-0x00007FF609AE0000-memory.dmp
memory/3880-30-0x00007FF6072E0000-0x00007FF609AE0000-memory.dmp
memory/3716-33-0x00007FF6072E0000-0x00007FF609AE0000-memory.dmp
memory/4332-38-0x00007FF6072E0000-0x00007FF609AE0000-memory.dmp
memory/848-40-0x00007FF6072E0000-0x00007FF609AE0000-memory.dmp
memory/1972-45-0x00007FF6072E0000-0x00007FF609AE0000-memory.dmp
C:\ComsurrogateServerdll\AK3g7uXXE.bat
| MD5 | e8a1196aafe6f8b6e6bb8c795ebf0498 |
| SHA1 | f5b7dfb17573f8901107616abbcefb7243c97f14 |
| SHA256 | 86c669cde3c0198e13d2cbff58ed537b0d994341f30a230a501eb5e5ce316201 |
| SHA512 | 23116afd8fcf4b201de8981856df75eb71bddd84f3eba0fa26afe36f1e54957c959490e5e22157b1b369c0e538707fb7ea3cbae6442ef36e6e1df601c234eb92 |
memory/4540-48-0x00007FF6072E0000-0x00007FF609AE0000-memory.dmp
memory/3636-54-0x00007FF6072E0000-0x00007FF609AE0000-memory.dmp
C:\ComsurrogateServerdll\reviewNet.exe
| MD5 | 54ee180f701840090a930675dd656df2 |
| SHA1 | 7c18ea7d94f34b8a6bcedaad224d7d973b417cc4 |
| SHA256 | 71913fe34b93416cbb0f6f2807392b8387a7cce53049eec444463cd820cb580d |
| SHA512 | f9a9700c0f5e2429d0fadc238ebe19ea7b9fcaa5b7fece52073c26f35a9df456f1aa6ee14bc985b11375992ad4edda5acf65bc5848f170c4839922d185d6926c |
memory/1108-62-0x0000000000580000-0x0000000000832000-memory.dmp
memory/228-61-0x00007FF6072E0000-0x00007FF609AE0000-memory.dmp
memory/4640-67-0x00007FF6072E0000-0x00007FF609AE0000-memory.dmp
memory/1108-71-0x000000001B250000-0x000000001B25E000-memory.dmp
memory/1108-77-0x000000001BAC0000-0x000000001BAD0000-memory.dmp
memory/1108-79-0x000000001BB40000-0x000000001BB96000-memory.dmp
memory/1108-82-0x000000001BBA0000-0x000000001BBB2000-memory.dmp
memory/1108-88-0x000000001BC00000-0x000000001BC0C000-memory.dmp
memory/1108-81-0x000000001BB90000-0x000000001BB98000-memory.dmp
memory/1108-85-0x000000001BBD0000-0x000000001BBDA000-memory.dmp
memory/1108-87-0x000000001BBF0000-0x000000001BBFC000-memory.dmp
memory/1612-93-0x00007FF6072E0000-0x00007FF609AE0000-memory.dmp
memory/1108-86-0x000000001BBE0000-0x000000001BBEE000-memory.dmp
memory/1108-84-0x000000001C100000-0x000000001C628000-memory.dmp
memory/1108-80-0x000000001BAE0000-0x000000001BAEC000-memory.dmp
memory/1108-78-0x000000001BAD0000-0x000000001BADA000-memory.dmp
memory/1108-76-0x000000001BAB0000-0x000000001BAB8000-memory.dmp
memory/1108-75-0x000000001BAA0000-0x000000001BAB0000-memory.dmp
memory/1108-74-0x000000001B280000-0x000000001B288000-memory.dmp
memory/1108-73-0x000000001BAF0000-0x000000001BB40000-memory.dmp
memory/1108-72-0x000000001B260000-0x000000001B27C000-memory.dmp
memory/1108-70-0x000000001B240000-0x000000001B24E000-memory.dmp
memory/5168-117-0x00007FF6072E0000-0x00007FF609AE0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\reviewNet.exe.log
| MD5 | 655010c15ea0ca05a6e5ddcd84986b98 |
| SHA1 | 120bf7e516aeed462c07625fbfcdab5124ad05d3 |
| SHA256 | 2b1ffeab025cc7c61c50e3e2e4c9253046d9174cf00181a8c1de733a4c0daa14 |
| SHA512 | e52c26718d7d1e979837b5ac626dde26920fe7413b8aa7be6f1be566a1b0f035582f4d313400e3ad6b92552abb1dfaf186b60b875fb955a2a94fd839fe841437 |
memory/5764-126-0x00007FF6072E0000-0x00007FF609AE0000-memory.dmp
memory/6104-132-0x00007FF6072E0000-0x00007FF609AE0000-memory.dmp
memory/3632-133-0x00007FF6072E0000-0x00007FF609AE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q41czjzh.w1h.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5992-134-0x000002EBA9DF0000-0x000002EBA9E12000-memory.dmp
memory/2364-144-0x00007FF6072E0000-0x00007FF609AE0000-memory.dmp
memory/4332-145-0x00007FF6072E0000-0x00007FF609AE0000-memory.dmp
memory/1972-146-0x00007FF6072E0000-0x00007FF609AE0000-memory.dmp
memory/2340-147-0x00007FF6072E0000-0x00007FF609AE0000-memory.dmp
memory/5816-148-0x00007FF6072E0000-0x00007FF609AE0000-memory.dmp
memory/2912-149-0x00007FF6072E0000-0x00007FF609AE0000-memory.dmp
memory/5804-152-0x00007FF6072E0000-0x00007FF609AE0000-memory.dmp
memory/764-153-0x00007FF6072E0000-0x00007FF609AE0000-memory.dmp
memory/5044-154-0x00007FF6072E0000-0x00007FF609AE0000-memory.dmp
memory/1900-155-0x00007FF6072E0000-0x00007FF609AE0000-memory.dmp
memory/4164-156-0x00007FF6072E0000-0x00007FF609AE0000-memory.dmp
memory/4648-157-0x00007FF6072E0000-0x00007FF609AE0000-memory.dmp
memory/972-158-0x00007FF6072E0000-0x00007FF609AE0000-memory.dmp
memory/5032-159-0x00007FF6072E0000-0x00007FF609AE0000-memory.dmp
memory/1528-160-0x00007FF6072E0000-0x00007FF609AE0000-memory.dmp
memory/5924-162-0x00007FF6072E0000-0x00007FF609AE0000-memory.dmp
memory/5780-163-0x00007FF6072E0000-0x00007FF609AE0000-memory.dmp
memory/2912-165-0x00007FF6072E0000-0x00007FF609AE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\PillsCheatLoader1.0.exe
| MD5 | cf010b8b8b4b7be7cf041bbdc9b2b0f0 |
| SHA1 | 46ef9630ddcbfbd04971cc8f3f60cdfa47700924 |
| SHA256 | 93e167f3bcbd0a3254d65504f9c3377bec4bf3a7102ad174511b68eeeae6c9e9 |
| SHA512 | e88d100a7ba32f42aa5c3d1a139c87a0b677cfd94f2bfb23374858e60b8ee5e73aa5077f480fe69fb208c7ffd4a47159080af77896aa56b4f2dfa3152872ae0d |
memory/2132-166-0x00007FF6072E0000-0x00007FF609AE0000-memory.dmp
memory/5848-177-0x00007FF7EA8B0000-0x00007FF7ED0B0000-memory.dmp
memory/2540-180-0x00007FF6042A0000-0x00007FF606AA0000-memory.dmp
memory/2308-179-0x00007FF6042A0000-0x00007FF606AA0000-memory.dmp
memory/5520-178-0x00007FF6042A0000-0x00007FF606AA0000-memory.dmp
memory/3312-181-0x00007FF6042A0000-0x00007FF606AA0000-memory.dmp
memory/4580-182-0x00007FF6042A0000-0x00007FF606AA0000-memory.dmp
memory/5832-183-0x00007FF6042A0000-0x00007FF606AA0000-memory.dmp
memory/668-184-0x00007FF6042A0000-0x00007FF606AA0000-memory.dmp
memory/2756-185-0x00007FF6042A0000-0x00007FF606AA0000-memory.dmp
memory/5432-186-0x00007FF6042A0000-0x00007FF606AA0000-memory.dmp
memory/1576-187-0x00007FF6042A0000-0x00007FF606AA0000-memory.dmp
memory/5524-188-0x00007FF6042A0000-0x00007FF606AA0000-memory.dmp
memory/3572-189-0x00007FF6042A0000-0x00007FF606AA0000-memory.dmp
memory/4824-190-0x00007FF6042A0000-0x00007FF606AA0000-memory.dmp
memory/3148-191-0x00007FF6042A0000-0x00007FF606AA0000-memory.dmp
memory/5976-193-0x00007FF6042A0000-0x00007FF606AA0000-memory.dmp
memory/5972-192-0x00007FF6042A0000-0x00007FF606AA0000-memory.dmp
memory/560-194-0x00007FF6042A0000-0x00007FF606AA0000-memory.dmp
memory/5480-195-0x00007FF6042A0000-0x00007FF606AA0000-memory.dmp
memory/3148-197-0x00007FF6042A0000-0x00007FF606AA0000-memory.dmp
memory/6036-196-0x00007FF6042A0000-0x00007FF606AA0000-memory.dmp
memory/5004-207-0x00007FF6042A0000-0x00007FF606AA0000-memory.dmp
memory/5140-208-0x00007FF6042A0000-0x00007FF606AA0000-memory.dmp
memory/6084-211-0x0000000074BA0000-0x0000000074E24000-memory.dmp
memory/6124-221-0x0000000074BA0000-0x0000000074E24000-memory.dmp
memory/5964-220-0x0000000074BA0000-0x0000000074E24000-memory.dmp
memory/1992-223-0x0000000000400000-0x0000000002647000-memory.dmp
memory/724-227-0x0000000000400000-0x0000000002647000-memory.dmp
memory/764-230-0x0000000074BA0000-0x0000000074E24000-memory.dmp
memory/5260-222-0x00007FF6042A0000-0x00007FF606AA0000-memory.dmp
memory/4084-263-0x000000001AED0000-0x000000001AF26000-memory.dmp
memory/3844-364-0x000001CC32B70000-0x000001CC32C25000-memory.dmp
memory/3844-363-0x000001CC32B50000-0x000001CC32B6C000-memory.dmp
memory/3844-365-0x000001CC32C30000-0x000001CC32C3A000-memory.dmp
memory/3844-366-0x000001CC32DA0000-0x000001CC32DBC000-memory.dmp
memory/3844-367-0x000001CC32D80000-0x000001CC32D8A000-memory.dmp
memory/3844-370-0x000001CC32DC0000-0x000001CC32DC6000-memory.dmp
memory/3844-371-0x000001CC32DD0000-0x000001CC32DDA000-memory.dmp
memory/3844-369-0x000001CC32D90000-0x000001CC32D98000-memory.dmp
memory/3844-368-0x000001CC32DE0000-0x000001CC32DFA000-memory.dmp