Your comments

Isn't RunCommandOutsideofSession how the ransomware encryption is happening? Seems like file transfer also would be a really, really bad idea. I have disabled my RunCommand and SwitchLogonSesion settings....