xmrig | 749ebfe548172995dec447360ac2dcbc53db826c674fac2a8d39c2a44dfecb12

Analysis

max time kernel
40s
max time network
4s
platform
windows10_x64
resource
win10v20210410
submitted
05-05-2021 11:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e8d8d2cb_by_Libranalysis.exe
Size

1.6MB
MD5

e8d8d2cb809674275e397d3096ee0e3b
SHA1

0a7f8d3ff4d7b22bfbfcaeab6191f0be0644ccd9
SHA256

749ebfe548172995dec447360ac2dcbc53db826c674fac2a8d39c2a44dfecb12
SHA512

70ff16e3a8ce12c0591b2bb9d8acaf1f1b6f5512d10831cf85ab5b4f3b460b8b6b140a7eecd1aeb0ef1c405de90c0c56db445ff1d2b97360203c58134dcdba9a

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner Payload 12 IoCs

miner

Processes:

resource	yara_rule
C:\Windows\System\ReDLHBK.exe	xmrig
C:\Windows\System\nmbUZae.exe	xmrig
C:\Windows\System\nmbUZae.exe	xmrig
C:\Windows\System\ReDLHBK.exe	xmrig
C:\Windows\System\JxHVRjT.exe	xmrig
C:\Windows\System\WjHkizQ.exe	xmrig
C:\Windows\System\AApGzlY.exe	xmrig
C:\Windows\System\WjHkizQ.exe	xmrig
C:\Windows\System\JxHVRjT.exe	xmrig
C:\Windows\System\dcvMjuk.exe	xmrig
C:\Windows\System\qeyLEHe.exe	xmrig
C:\Windows\System\wSrTxlj.exe	xmrig

Drops file in Windows directory 1 IoCs

Processes:

e8d8d2cb_by_Libranalysis.exe

description ioc process

File created C:\Windows\System\ReDLHBK.exe e8d8d2cb_by_Libranalysis.exe

description	ioc	process
File created	C:\Windows\System\ReDLHBK.exe	e8d8d2cb_by_Libranalysis.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

e8d8d2cb_by_Libranalysis.exe

description	pid	process	target process
PID 1744 wrote to memory of 408	1744	e8d8d2cb_by_Libranalysis.exe	powershell.exe
PID 1744 wrote to memory of 408	1744	e8d8d2cb_by_Libranalysis.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\e8d8d2cb_by_Libranalysis.exe
"C:\Users\Admin\AppData\Local\Temp\e8d8d2cb_by_Libranalysis.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
2⤵
PID:408

C:\Windows\System\ReDLHBK.exe
C:\Windows\System\ReDLHBK.exe
2⤵
PID:1112

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:1788

C:\Windows\System\nmbUZae.exe
C:\Windows\System\nmbUZae.exe
2⤵
PID:1460

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:2072

C:\Windows\System\RpXwrUk.exe
C:\Windows\System\RpXwrUk.exe
2⤵
PID:1556

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:2696

C:\Windows\System\hGjXldp.exe
C:\Windows\System\hGjXldp.exe
2⤵
PID:2832

C:\Windows\System\UJTVqlc.exe
C:\Windows\System\UJTVqlc.exe
2⤵
PID:1560

C:\Windows\System\qPQyJYj.exe
C:\Windows\System\qPQyJYj.exe
2⤵
PID:2752

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:3372

C:\Windows\System\jgPbxps.exe
C:\Windows\System\jgPbxps.exe
2⤵
PID:3948

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:2156

C:\Windows\System\IVhXFEM.exe
C:\Windows\System\IVhXFEM.exe
2⤵
PID:3448

C:\Windows\System\GUXuDsF.exe
C:\Windows\System\GUXuDsF.exe
2⤵
PID:3884

C:\Windows\System\zKUrTwV.exe
C:\Windows\System\zKUrTwV.exe
2⤵
PID:1824

C:\Windows\System\JxHVRjT.exe
C:\Windows\System\JxHVRjT.exe
2⤵
PID:652

C:\Windows\System\URnfGyy.exe
C:\Windows\System\URnfGyy.exe
2⤵
PID:4404

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:4728

C:\Windows\System\uIkPvXG.exe
C:\Windows\System\uIkPvXG.exe
2⤵
PID:4524

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:4796

C:\Windows\System\FQRXGtm.exe
C:\Windows\System\FQRXGtm.exe
2⤵
PID:5064

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:4360

C:\Windows\System\qeyLEHe.exe
C:\Windows\System\qeyLEHe.exe
2⤵
PID:4264

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:5160

C:\Windows\System\sysVaWw.exe
C:\Windows\System\sysVaWw.exe
2⤵
PID:5340

C:\Windows\System\tTGJXZh.exe
C:\Windows\System\tTGJXZh.exe
2⤵
PID:5672

C:\Windows\System\UJLMKES.exe
C:\Windows\System\UJLMKES.exe
2⤵
PID:5760

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:5944

C:\Windows\System\jfBCMpH.exe
C:\Windows\System\jfBCMpH.exe
2⤵
PID:5856

C:\Windows\System\kEDSgzG.exe
C:\Windows\System\kEDSgzG.exe
2⤵
PID:5932

C:\Windows\System\dsyrYTK.exe
C:\Windows\System\dsyrYTK.exe
2⤵
PID:6088

C:\Windows\System\sEVPqaz.exe
C:\Windows\System\sEVPqaz.exe
2⤵
PID:6080

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:7448

C:\Windows\System\XuPIlWu.exe
C:\Windows\System\XuPIlWu.exe
2⤵
PID:6096

C:\Windows\System\mqCkXQr.exe
C:\Windows\System\mqCkXQr.exe
2⤵
PID:6320

C:\Windows\System\FyGEMAI.exe
C:\Windows\System\FyGEMAI.exe
2⤵
PID:6304

C:\Windows\System\VhoGirD.exe
C:\Windows\System\VhoGirD.exe
2⤵
PID:6332

C:\Windows\System\EBpFExj.exe
C:\Windows\System\EBpFExj.exe
2⤵
PID:6292

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:6796

C:\Windows\System\aYaWINS.exe
C:\Windows\System\aYaWINS.exe
2⤵
PID:6816

C:\Windows\System\RuEoPDI.exe
C:\Windows\System\RuEoPDI.exe
2⤵
PID:6788

C:\Windows\System\MJRdVcY.exe
C:\Windows\System\MJRdVcY.exe
2⤵
PID:6776

C:\Windows\System\hCJbRPM.exe
C:\Windows\System\hCJbRPM.exe
2⤵
PID:6756

C:\Windows\System\ZfKjDmQ.exe
C:\Windows\System\ZfKjDmQ.exe
2⤵
PID:6744

C:\Windows\System\zpBkBzE.exe
C:\Windows\System\zpBkBzE.exe
2⤵
PID:6728

C:\Windows\System\UaiQMOA.exe
C:\Windows\System\UaiQMOA.exe
2⤵
PID:6704

C:\Windows\System\wWaFBUN.exe
C:\Windows\System\wWaFBUN.exe
2⤵
PID:6684

C:\Windows\System\gaihjkB.exe
C:\Windows\System\gaihjkB.exe
2⤵
PID:6672

C:\Windows\System\OAjQpTm.exe
C:\Windows\System\OAjQpTm.exe
2⤵
PID:6648

C:\Windows\System\EqcrcvN.exe
C:\Windows\System\EqcrcvN.exe
2⤵
PID:6640

C:\Windows\System\ldmwOuS.exe
C:\Windows\System\ldmwOuS.exe
2⤵
PID:6624

C:\Windows\System\ydDJUyD.exe
C:\Windows\System\ydDJUyD.exe
2⤵
PID:6608

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:13444

C:\Windows\System\wdBclYY.exe
C:\Windows\System\wdBclYY.exe
2⤵
PID:7384

C:\Windows\System\mHTJUgR.exe
C:\Windows\System\mHTJUgR.exe
2⤵
PID:7372

C:\Windows\System\gxbpCXO.exe
C:\Windows\System\gxbpCXO.exe
2⤵
PID:7356

C:\Windows\System\sliskjw.exe
C:\Windows\System\sliskjw.exe
2⤵
PID:7344

C:\Windows\System\MtOUsQe.exe
C:\Windows\System\MtOUsQe.exe
2⤵
PID:7336

C:\Windows\System\WCPEedQ.exe
C:\Windows\System\WCPEedQ.exe
2⤵
PID:7328

C:\Windows\System\FCcgNuw.exe
C:\Windows\System\FCcgNuw.exe
2⤵
PID:7320

C:\Windows\System\rhRrJnz.exe
C:\Windows\System\rhRrJnz.exe
2⤵
PID:7304

C:\Windows\System\dNLEQXH.exe
C:\Windows\System\dNLEQXH.exe
2⤵
PID:7296

C:\Windows\System\ITFjkdR.exe
C:\Windows\System\ITFjkdR.exe
2⤵
PID:7284

C:\Windows\System\Omcactm.exe
C:\Windows\System\Omcactm.exe
2⤵
PID:7276

C:\Windows\System\UOIoyEC.exe
C:\Windows\System\UOIoyEC.exe
2⤵
PID:8624

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:10656

C:\Windows\System\UisBxGe.exe
C:\Windows\System\UisBxGe.exe
2⤵
PID:12648

C:\Windows\System\jvJaEkJ.exe
C:\Windows\System\jvJaEkJ.exe
2⤵
PID:12632

C:\Windows\System\mlBsRpN.exe
C:\Windows\System\mlBsRpN.exe
2⤵
PID:12620

C:\Windows\System\ckABrlY.exe
C:\Windows\System\ckABrlY.exe
2⤵
PID:12588

C:\Windows\System\YGCnmWL.exe
C:\Windows\System\YGCnmWL.exe
2⤵
PID:13052

C:\Windows\System\xqPTPMk.exe
C:\Windows\System\xqPTPMk.exe
2⤵
PID:13216

C:\Windows\System\NsCwpzX.exe
C:\Windows\System\NsCwpzX.exe
2⤵
PID:13188

C:\Windows\System\GlThvHb.exe
C:\Windows\System\GlThvHb.exe
2⤵
PID:13180

C:\Windows\System\esYARMU.exe
C:\Windows\System\esYARMU.exe
2⤵
PID:13416

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:26724

C:\Windows\System\EOGvfiM.exe
C:\Windows\System\EOGvfiM.exe
2⤵
PID:13708

C:\Windows\System\ottpJdZ.exe
C:\Windows\System\ottpJdZ.exe
2⤵
PID:13876

C:\Windows\System\xXicNgc.exe
C:\Windows\System\xXicNgc.exe
2⤵
PID:14000

C:\Windows\System\QHtkJAF.exe
C:\Windows\System\QHtkJAF.exe
2⤵
PID:13988

C:\Windows\System\qldfxry.exe
C:\Windows\System\qldfxry.exe
2⤵
PID:13972

C:\Windows\System\FKzzNFg.exe
C:\Windows\System\FKzzNFg.exe
2⤵
PID:13964

C:\Windows\System\QPGzAEu.exe
C:\Windows\System\QPGzAEu.exe
2⤵
PID:13956

C:\Windows\System\JAQPaXB.exe
C:\Windows\System\JAQPaXB.exe
2⤵
PID:13944

C:\Windows\System\ehTwMey.exe
C:\Windows\System\ehTwMey.exe
2⤵
PID:13936

C:\Windows\System\CmENXGh.exe
C:\Windows\System\CmENXGh.exe
2⤵
PID:13928

C:\Windows\System\LuYzJsj.exe
C:\Windows\System\LuYzJsj.exe
2⤵
PID:13916

C:\Windows\System\mOAVDTK.exe
C:\Windows\System\mOAVDTK.exe
2⤵
PID:13908

C:\Windows\System\ttqwEYc.exe
C:\Windows\System\ttqwEYc.exe
2⤵
PID:13900

C:\Windows\System\OeNoUJW.exe
C:\Windows\System\OeNoUJW.exe
2⤵
PID:13884

C:\Windows\System\ghomDQe.exe
C:\Windows\System\ghomDQe.exe
2⤵
PID:13868

C:\Windows\System\snjvLLE.exe
C:\Windows\System\snjvLLE.exe
2⤵
PID:13852

C:\Windows\System\vqZBTAH.exe
C:\Windows\System\vqZBTAH.exe
2⤵
PID:13840

C:\Windows\System\aRaNbrl.exe
C:\Windows\System\aRaNbrl.exe
2⤵
PID:13832

C:\Windows\System\ToESMhx.exe
C:\Windows\System\ToESMhx.exe
2⤵
PID:13812

C:\Windows\System\sNbyerb.exe
C:\Windows\System\sNbyerb.exe
2⤵
PID:13800

C:\Windows\System\FlUXQLT.exe
C:\Windows\System\FlUXQLT.exe
2⤵
PID:13792

C:\Windows\System\qvrxqEW.exe
C:\Windows\System\qvrxqEW.exe
2⤵
PID:13784

C:\Windows\System\sGDACJd.exe
C:\Windows\System\sGDACJd.exe
2⤵
PID:13768

C:\Windows\System\JJZkNPW.exe
C:\Windows\System\JJZkNPW.exe
2⤵
PID:13748

C:\Windows\System\UvSHoTv.exe
C:\Windows\System\UvSHoTv.exe
2⤵
PID:13740

C:\Windows\System\TpxbscQ.exe
C:\Windows\System\TpxbscQ.exe
2⤵
PID:13732

C:\Windows\System\VjmXlBQ.exe
C:\Windows\System\VjmXlBQ.exe
2⤵
PID:13720

C:\Windows\System\IgRnfnc.exe
C:\Windows\System\IgRnfnc.exe
2⤵
PID:13700

C:\Windows\System\cTzLVeX.exe
C:\Windows\System\cTzLVeX.exe
2⤵
PID:13672

C:\Windows\System\PCsOFdJ.exe
C:\Windows\System\PCsOFdJ.exe
2⤵
PID:13664

C:\Windows\System\lXqIZIU.exe
C:\Windows\System\lXqIZIU.exe
2⤵
PID:13652

C:\Windows\System\JxqpRFg.exe
C:\Windows\System\JxqpRFg.exe
2⤵
PID:13644

C:\Windows\System\mXaEZgl.exe
C:\Windows\System\mXaEZgl.exe
2⤵
PID:13628

C:\Windows\System\OnVHunX.exe
C:\Windows\System\OnVHunX.exe
2⤵
PID:13620

C:\Windows\System\eaHPAPu.exe
C:\Windows\System\eaHPAPu.exe
2⤵
PID:13604

C:\Windows\System\MuNsfvl.exe
C:\Windows\System\MuNsfvl.exe
2⤵
PID:13588

C:\Windows\System\hmoOKfa.exe
C:\Windows\System\hmoOKfa.exe
2⤵
PID:13564

C:\Windows\System\gvAoLrt.exe
C:\Windows\System\gvAoLrt.exe
2⤵
PID:13556

C:\Windows\System\YxHgoYd.exe
C:\Windows\System\YxHgoYd.exe
2⤵
PID:13548

C:\Windows\System\VbGKcFf.exe
C:\Windows\System\VbGKcFf.exe
2⤵
PID:13540

C:\Windows\System\JsMuCtk.exe
C:\Windows\System\JsMuCtk.exe
2⤵
PID:13524

C:\Windows\System\DCgeaHe.exe
C:\Windows\System\DCgeaHe.exe
2⤵
PID:13516

C:\Windows\System\WWZFsTn.exe
C:\Windows\System\WWZFsTn.exe
2⤵
PID:13496

C:\Windows\System\mfxZhaR.exe
C:\Windows\System\mfxZhaR.exe
2⤵
PID:13488

C:\Windows\System\GstdmJO.exe
C:\Windows\System\GstdmJO.exe
2⤵
PID:13480

C:\Windows\System\YYsFVTb.exe
C:\Windows\System\YYsFVTb.exe
2⤵
PID:13460

C:\Windows\System\ZiVorUu.exe
C:\Windows\System\ZiVorUu.exe
2⤵
PID:13452

C:\Windows\System\CfxWJLx.exe
C:\Windows\System\CfxWJLx.exe
2⤵
PID:13432

C:\Windows\System\qwnzFqG.exe
C:\Windows\System\qwnzFqG.exe
2⤵
PID:13404

C:\Windows\System\gBELuvP.exe
C:\Windows\System\gBELuvP.exe
2⤵
PID:13396

C:\Windows\System\NbhiUMo.exe
C:\Windows\System\NbhiUMo.exe
2⤵
PID:13388

C:\Windows\System\wkeFbXY.exe
C:\Windows\System\wkeFbXY.exe
2⤵
PID:13380

C:\Windows\System\YGarawx.exe
C:\Windows\System\YGarawx.exe
2⤵
PID:13372

C:\Windows\System\SonHBGd.exe
C:\Windows\System\SonHBGd.exe
2⤵
PID:13364

C:\Windows\System\SEBGHbS.exe
C:\Windows\System\SEBGHbS.exe
2⤵
PID:13356

C:\Windows\System\EJmTCDO.exe
C:\Windows\System\EJmTCDO.exe
2⤵
PID:13348

C:\Windows\System\kSUGnqv.exe
C:\Windows\System\kSUGnqv.exe
2⤵
PID:13340

C:\Windows\System\IrclkPr.exe
C:\Windows\System\IrclkPr.exe
2⤵
PID:13332

C:\Windows\System\wcLQwZa.exe
C:\Windows\System\wcLQwZa.exe
2⤵
PID:13324

C:\Windows\System\iIrzXKs.exe
C:\Windows\System\iIrzXKs.exe
2⤵
PID:7272

C:\Windows\System\gByTNtp.exe
C:\Windows\System\gByTNtp.exe
2⤵
PID:14088

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:26580

C:\Windows\System\ZkVJcVm.exe
C:\Windows\System\ZkVJcVm.exe
2⤵
PID:14080

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:26592

C:\Windows\System\OMKEysc.exe
C:\Windows\System\OMKEysc.exe
2⤵
PID:14064

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:26544

C:\Windows\System\KvCZMSf.exe
C:\Windows\System\KvCZMSf.exe
2⤵
PID:14844

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:26804

C:\Windows\System\qePlFOG.exe
C:\Windows\System\qePlFOG.exe
2⤵
PID:16896

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:25384

C:\Windows\System\ZWcFePP.exe
C:\Windows\System\ZWcFePP.exe
2⤵
PID:16952

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:25400

C:\Windows\System\XTPSmTo.exe
C:\Windows\System\XTPSmTo.exe
2⤵
PID:16972

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:25408

C:\Windows\System\muAuIJQ.exe
C:\Windows\System\muAuIJQ.exe
2⤵
PID:16984

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:25360

C:\Windows\System\DVvsAXo.exe
C:\Windows\System\DVvsAXo.exe
2⤵
PID:17040

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:26912

C:\Windows\System\bmQpQyQ.exe
C:\Windows\System\bmQpQyQ.exe
2⤵
PID:17032

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:26988

C:\Windows\System\gQOhZZy.exe
C:\Windows\System\gQOhZZy.exe
2⤵
PID:17024

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:25464

C:\Windows\System\KiquOVg.exe
C:\Windows\System\KiquOVg.exe
2⤵
PID:17016

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:25476

C:\Windows\System\CQckcvt.exe
C:\Windows\System\CQckcvt.exe
2⤵
PID:17456

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:26088

C:\Windows\System\YcRyLPZ.exe
C:\Windows\System\YcRyLPZ.exe
2⤵
PID:21752

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:25748

C:\Windows\System\jQyuQMh.exe
C:\Windows\System\jQyuQMh.exe
2⤵
PID:21716

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:25800

C:\Windows\System\RRUShnC.exe
C:\Windows\System\RRUShnC.exe
2⤵
PID:21700

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:25772

C:\Windows\System\bkEWLfW.exe
C:\Windows\System\bkEWLfW.exe
2⤵
PID:21688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:25820

C:\Windows\System\cgOMQta.exe
C:\Windows\System\cgOMQta.exe
2⤵
PID:21680

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:25844

C:\Windows\System\jAKcMLj.exe
C:\Windows\System\jAKcMLj.exe
2⤵
PID:21672

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:25852

C:\Windows\System\ZILPFEQ.exe
C:\Windows\System\ZILPFEQ.exe
2⤵
PID:21664

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:25416

C:\Windows\System\aipcKhg.exe
C:\Windows\System\aipcKhg.exe
2⤵
PID:24240

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:1576

C:\Windows\System\QIIjYge.exe
C:\Windows\System\QIIjYge.exe
2⤵
PID:25072

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
3⤵
PID:29400

C:\Windows\System\WjulHvM.exe
C:\Windows\System\WjulHvM.exe
2⤵
PID:28956

C:\Windows\System\PqKtXqs.exe
C:\Windows\System\PqKtXqs.exe
2⤵
PID:28948

C:\Windows\System\AqqRKOO.exe
C:\Windows\System\AqqRKOO.exe
2⤵
PID:28932

C:\Windows\System\yIORvpe.exe
C:\Windows\System\yIORvpe.exe
2⤵
PID:28924

C:\Windows\System\BlsIYtG.exe
C:\Windows\System\BlsIYtG.exe
2⤵
PID:28684

C:\Windows\System\ODZCeHp.exe
C:\Windows\System\ODZCeHp.exe
2⤵
PID:1360

C:\Windows\System\VpjjRoT.exe
C:\Windows\System\VpjjRoT.exe
2⤵
PID:516

C:\Windows\System\uXBSewI.exe
C:\Windows\System\uXBSewI.exe
2⤵
PID:28668

C:\Windows\System\mNOaFEm.exe
C:\Windows\System\mNOaFEm.exe
2⤵
PID:28660

C:\Windows\System\eXhQVaA.exe
C:\Windows\System\eXhQVaA.exe
2⤵
PID:28652

C:\Windows\System\YxbPSGh.exe
C:\Windows\System\YxbPSGh.exe
2⤵
PID:28636

C:\Windows\System\RoSXbmo.exe
C:\Windows\System\RoSXbmo.exe
2⤵
PID:28612

C:\Windows\System\CUoqFWB.exe
C:\Windows\System\CUoqFWB.exe
2⤵
PID:28604

C:\Windows\System\iDbDWzf.exe
C:\Windows\System\iDbDWzf.exe
2⤵
PID:28588

C:\Windows\System\TUiipsU.exe
C:\Windows\System\TUiipsU.exe
2⤵
PID:28576

C:\Windows\System\kujOsfV.exe
C:\Windows\System\kujOsfV.exe
2⤵
PID:28564

C:\Windows\System\MaWhWdz.exe
C:\Windows\System\MaWhWdz.exe
2⤵
PID:28552

C:\Windows\System\docFXkY.exe
C:\Windows\System\docFXkY.exe
2⤵
PID:28540

C:\Windows\System\rlJoBqG.exe
C:\Windows\System\rlJoBqG.exe
2⤵
PID:28532

C:\Windows\System\SkersWN.exe
C:\Windows\System\SkersWN.exe
2⤵
PID:28524

C:\Windows\System\SvwDgUX.exe
C:\Windows\System\SvwDgUX.exe
2⤵
PID:28516

C:\Windows\System\kXsKHFr.exe
C:\Windows\System\kXsKHFr.exe
2⤵
PID:28508

C:\Windows\System\eiGHYhp.exe
C:\Windows\System\eiGHYhp.exe
2⤵
PID:26096

C:\Windows\System\raBMozS.exe
C:\Windows\System\raBMozS.exe
2⤵
PID:26080

C:\Windows\System\oWuctKt.exe
C:\Windows\System\oWuctKt.exe
2⤵
PID:26056

C:\Windows\System\wTgXvuY.exe
C:\Windows\System\wTgXvuY.exe
2⤵
PID:26028

C:\Windows\System\hthHxoV.exe
C:\Windows\System\hthHxoV.exe
2⤵
PID:26016

C:\Windows\System\nRRRpcN.exe
C:\Windows\System\nRRRpcN.exe
2⤵
PID:25904

C:\Windows\System\KxZaKCY.exe
C:\Windows\System\KxZaKCY.exe
2⤵
PID:25884

C:\Windows\System\faBeBNE.exe
C:\Windows\System\faBeBNE.exe
2⤵
PID:25868

C:\Windows\System\QuAKrGp.exe
C:\Windows\System\QuAKrGp.exe
2⤵
PID:25836

C:\Windows\System\kBagVqz.exe
C:\Windows\System\kBagVqz.exe
2⤵
PID:25812

C:\Windows\System\qHLdQDR.exe
C:\Windows\System\qHLdQDR.exe
2⤵
PID:25788

C:\Windows\System\GLufSNk.exe
C:\Windows\System\GLufSNk.exe
2⤵
PID:25764

C:\Windows\System\bfeYenF.exe
C:\Windows\System\bfeYenF.exe
2⤵
PID:25740

C:\Windows\System\vfLPyZT.exe
C:\Windows\System\vfLPyZT.exe
2⤵
PID:25716

C:\Windows\System\csFkIDb.exe
C:\Windows\System\csFkIDb.exe
2⤵
PID:25688

C:\Windows\System\Oejskrn.exe
C:\Windows\System\Oejskrn.exe
2⤵
PID:25668

C:\Windows\System\zeztCzS.exe
C:\Windows\System\zeztCzS.exe
2⤵
PID:25632

C:\Windows\System\lawnPxk.exe
C:\Windows\System\lawnPxk.exe
2⤵
PID:25616

C:\Windows\System\zNxCpJI.exe
C:\Windows\System\zNxCpJI.exe
2⤵
PID:21540

C:\Windows\System\tMrkHFp.exe
C:\Windows\System\tMrkHFp.exe
2⤵
PID:25584

C:\Windows\System\fqRwpqG.exe
C:\Windows\System\fqRwpqG.exe
2⤵
PID:25560

C:\Windows\System\KIhEzwz.exe
C:\Windows\System\KIhEzwz.exe
2⤵
PID:25532

C:\Windows\System\fZrocBe.exe
C:\Windows\System\fZrocBe.exe
2⤵
PID:25064

C:\Windows\System\ERdfooU.exe
C:\Windows\System\ERdfooU.exe
2⤵
PID:25056

C:\Windows\System\weVFhyI.exe
C:\Windows\System\weVFhyI.exe
2⤵
PID:25048

C:\Windows\System\CexNTRe.exe
C:\Windows\System\CexNTRe.exe
2⤵
PID:25040

C:\Windows\System\PFAdLZM.exe
C:\Windows\System\PFAdLZM.exe
2⤵
PID:25016

C:\Windows\System\OllCnrZ.exe
C:\Windows\System\OllCnrZ.exe
2⤵
PID:25004

C:\Windows\System\aRzmlem.exe
C:\Windows\System\aRzmlem.exe
2⤵
PID:24996

C:\Windows\System\wciSaeP.exe
C:\Windows\System\wciSaeP.exe
2⤵
PID:24988

C:\Windows\System\DdTDCZm.exe
C:\Windows\System\DdTDCZm.exe
2⤵
PID:24952

C:\Windows\System\meozRIV.exe
C:\Windows\System\meozRIV.exe
2⤵
PID:24936

C:\Windows\System\BCWFKBI.exe
C:\Windows\System\BCWFKBI.exe
2⤵
PID:24920

C:\Windows\System\bEUrAiS.exe
C:\Windows\System\bEUrAiS.exe
2⤵
PID:24908

C:\Windows\System\VthOPkz.exe
C:\Windows\System\VthOPkz.exe
2⤵
PID:24896

C:\Windows\System\bfWsSGK.exe
C:\Windows\System\bfWsSGK.exe
2⤵
PID:24888

C:\Windows\System\llrzxnm.exe
C:\Windows\System\llrzxnm.exe
2⤵
PID:24880

C:\Windows\System\jjmBZwh.exe
C:\Windows\System\jjmBZwh.exe
2⤵
PID:24872

C:\Windows\System\ifyOwbN.exe
C:\Windows\System\ifyOwbN.exe
2⤵
PID:24864

C:\Windows\System\oqwLyGd.exe
C:\Windows\System\oqwLyGd.exe
2⤵
PID:24856

C:\Windows\System\YwvZdtW.exe
C:\Windows\System\YwvZdtW.exe
2⤵
PID:24848

C:\Windows\System\KjLxtzm.exe
C:\Windows\System\KjLxtzm.exe
2⤵
PID:24232

C:\Windows\System\WlfkqfS.exe
C:\Windows\System\WlfkqfS.exe
2⤵
PID:24216

C:\Windows\System\kwMLtSi.exe
C:\Windows\System\kwMLtSi.exe
2⤵
PID:24208

C:\Windows\System\HMmHRxu.exe
C:\Windows\System\HMmHRxu.exe
2⤵
PID:24200

C:\Windows\System\BBKLmKu.exe
C:\Windows\System\BBKLmKu.exe
2⤵
PID:24192

C:\Windows\System\akvWpGw.exe
C:\Windows\System\akvWpGw.exe
2⤵
PID:24184

C:\Windows\System\TMYixGW.exe
C:\Windows\System\TMYixGW.exe
2⤵
PID:24176

C:\Windows\System\VWTOGxd.exe
C:\Windows\System\VWTOGxd.exe
2⤵
PID:24168

C:\Windows\System\ryCeKeK.exe
C:\Windows\System\ryCeKeK.exe
2⤵
PID:24160

C:\Windows\System\wMwxYlp.exe
C:\Windows\System\wMwxYlp.exe
2⤵
PID:24152

C:\Windows\System\KIGFMML.exe
C:\Windows\System\KIGFMML.exe
2⤵
PID:24144

C:\Windows\System\XCePAwm.exe
C:\Windows\System\XCePAwm.exe
2⤵
PID:24136

C:\Windows\System\hXwVEGE.exe
C:\Windows\System\hXwVEGE.exe
2⤵
PID:24128

C:\Windows\System\bCDtTbG.exe
C:\Windows\System\bCDtTbG.exe
2⤵
PID:24120

C:\Windows\System\tUOakrb.exe
C:\Windows\System\tUOakrb.exe
2⤵
PID:24100

C:\Windows\System\eOYMrOe.exe
C:\Windows\System\eOYMrOe.exe
2⤵
PID:24088

C:\Windows\System\MYSoamA.exe
C:\Windows\System\MYSoamA.exe
2⤵
PID:24076

C:\Windows\System\jUvLkGn.exe
C:\Windows\System\jUvLkGn.exe
2⤵
PID:24060

C:\Windows\System\wHCJYJb.exe
C:\Windows\System\wHCJYJb.exe
2⤵
PID:24044

C:\Windows\System\IbfsXxF.exe
C:\Windows\System\IbfsXxF.exe
2⤵
PID:24032

C:\Windows\System\KAsyqmc.exe
C:\Windows\System\KAsyqmc.exe
2⤵
PID:24020

C:\Windows\System\NqoHKyk.exe
C:\Windows\System\NqoHKyk.exe
2⤵
PID:24000

C:\Windows\System\yejTMuL.exe
C:\Windows\System\yejTMuL.exe
2⤵
PID:23980

C:\Windows\System\RJKasXT.exe
C:\Windows\System\RJKasXT.exe
2⤵
PID:23964

C:\Windows\System\rQkiLiG.exe
C:\Windows\System\rQkiLiG.exe
2⤵
PID:23956

C:\Windows\System\PPMwoQZ.exe
C:\Windows\System\PPMwoQZ.exe
2⤵
PID:23936

C:\Windows\System\aKMfcCz.exe
C:\Windows\System\aKMfcCz.exe
2⤵
PID:23920

C:\Windows\System\aKqaLBY.exe
C:\Windows\System\aKqaLBY.exe
2⤵
PID:23904

C:\Windows\System\ucECgFH.exe
C:\Windows\System\ucECgFH.exe
2⤵
PID:23892

C:\Windows\System\UcvMJDN.exe
C:\Windows\System\UcvMJDN.exe
2⤵
PID:23880

C:\Windows\System\roxUoIK.exe
C:\Windows\System\roxUoIK.exe
2⤵
PID:23868

C:\Windows\System\OiVqEdh.exe
C:\Windows\System\OiVqEdh.exe
2⤵
PID:23852

C:\Windows\System\CXGnJTS.exe
C:\Windows\System\CXGnJTS.exe
2⤵
PID:23836

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:1368

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:2396

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:2100

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:6312

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:6808

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:6764

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:6736

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:6720

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:6692

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:6660

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:6632

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:7408

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:13424

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:16532

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:16476

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:16432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:16804

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:16944

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:19152

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:21208

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:22496

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:22356

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:22348

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:22340

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:22280

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:21612

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:21512

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:17452

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:21192

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:27068

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:28748

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:29720

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:29708

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:21356

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:5812

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:21352

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:28916

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:28908

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:28856

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:28812

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:28728

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:28716

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:28708

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:28700

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:28644

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:28624

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:28500

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:28436

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:28420

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:28400

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:28384

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:28352

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:28340

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:28312

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:28292

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:28276

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:28208

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:28080

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:28060

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:28048

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:28036

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:28024

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:28012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:27996

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:27988

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:27944

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:27936

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:27640

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:27624

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:27612

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:27600

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:27540

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:27528

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:27520

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:27512

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:27504

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:27496

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:27488

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:27480

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:27472

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:27464

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:30192

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:30176

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:27456

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:27384

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:27368

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:27352

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:27340

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:27320

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:27296

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:27276

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:27244

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:27232

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:27216

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:27204

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:27192

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:27176

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:27144

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:27132

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:27120

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:27100

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:27060

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:27048

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:27036

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:27024

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:27012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:27000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26976

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26944

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26936

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26920

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26904

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26896

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26872

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26864

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26848

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26840

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26832

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26816

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26788

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26780

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26768

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26756

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26744

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26716

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26708

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26700

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26668

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26660

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26644

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26636

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26616

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26604

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26568

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26552

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26528

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26520

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26504

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26496

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26480

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26472

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26456

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26448

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26436

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26424

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26412

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26400

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26384

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26376

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26360

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26352

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26336

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26328

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26312

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26304

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26288

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26280

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26268

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26256

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26244

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26232

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26220

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26208

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26192

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26184

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26176

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26160

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26148

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26136

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26124

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26112

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26068

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26048

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26036

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:26008

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:25996

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:25984

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:25972

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:25960

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:25948

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:25936

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:25924

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:25912

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:25892

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:25876

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:25780

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:25724

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:25704

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:25696

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:25676

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:25652

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:25640

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:25624

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:5112

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:14272

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:25592

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:25572

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:25552

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:25436

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:25392

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:25376

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:25368

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:21180

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:21168

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:21156

C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "6948" "1600" "1592" "1596" "0" "0" "1620" "0" "0" "0" "0" "0"
1⤵
PID:30704

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AApGzlY.exe
MD5
f823ec684252b2b462f908e48036cfc8

SHA1
471eea11715837f1cd22c748bda406d430f50999

SHA256
a52167a4b4256b9d3f1372a064198edc29f9e1a8672f26588c9107b7545b06fe

SHA512
f5b86a25cf868d5dc9d326bc7060ee8357ae8ea346c5a8d4719e982987151b5a001245213b2666aba73bdca261c2cc6f2481bb57644d0860c8655e225c0bce10

Download Submit
C:\Windows\System\JxHVRjT.exe
MD5
a57331be9b5900ed8ce06aee7a21afdd

SHA1
527d688feff1496e29db6229e61f237fb8835b3b

SHA256
9d321e34c395a0e2e460a292d93b937cb783563c1f8b9788f07b3b62804277b1

SHA512
62d99c7ae45459c3dfa5d018779be70ebc235d1dd569a532135766cc2d28e885cca0a64ab8815f88788e2596bfb33f38444a3891d9a9b16e1de590f528ee4e1e

Download Submit
C:\Windows\System\JxHVRjT.exe
MD5
a57331be9b5900ed8ce06aee7a21afdd

SHA1
527d688feff1496e29db6229e61f237fb8835b3b

SHA256
9d321e34c395a0e2e460a292d93b937cb783563c1f8b9788f07b3b62804277b1

SHA512
62d99c7ae45459c3dfa5d018779be70ebc235d1dd569a532135766cc2d28e885cca0a64ab8815f88788e2596bfb33f38444a3891d9a9b16e1de590f528ee4e1e

Download Submit
C:\Windows\System\ReDLHBK.exe
MD5
c35d03f18e9391656015e11d6535e43c

SHA1
d8d54967fcde16ac349d87c5e7e3cc2b9432907b

SHA256
7d6e885cfcbc878566bed9e90c166e7f4af34e8917fa2c77945bcb6c3df5a548

SHA512
414d213df0546ebdba8882efa0fece053d03b71ee5cd14ff15f96b5725d3ed6f9e858f4e39f51b5d8839f84158f1a0009bdda27269d4dd9007ee28dfe9ebd88a

Download Submit
C:\Windows\System\ReDLHBK.exe
MD5
c35d03f18e9391656015e11d6535e43c

SHA1
d8d54967fcde16ac349d87c5e7e3cc2b9432907b

SHA256
7d6e885cfcbc878566bed9e90c166e7f4af34e8917fa2c77945bcb6c3df5a548

SHA512
414d213df0546ebdba8882efa0fece053d03b71ee5cd14ff15f96b5725d3ed6f9e858f4e39f51b5d8839f84158f1a0009bdda27269d4dd9007ee28dfe9ebd88a

Download Submit
C:\Windows\System\WjHkizQ.exe
MD5
026f18ddd424342698c08aaf8ac4cd3e

SHA1
1b6bd77a58a5017bf29feb74f1cf53ab57c5b475

SHA256
a93b2d45ae26b1604ab5d2d76f513cf7b83085a66e1afa4a90ffff3a77acce28

SHA512
02e4642f93c59898950a80ac73a43857bb6fde829e9337cd5cf018c55163e5f7ee10437ea15a8f9c3e1f36d962055c5f7c6fcee05a0743d569d4514fadb6b601

Download Submit
C:\Windows\System\WjHkizQ.exe
MD5
026f18ddd424342698c08aaf8ac4cd3e

SHA1
1b6bd77a58a5017bf29feb74f1cf53ab57c5b475

SHA256
a93b2d45ae26b1604ab5d2d76f513cf7b83085a66e1afa4a90ffff3a77acce28

SHA512
02e4642f93c59898950a80ac73a43857bb6fde829e9337cd5cf018c55163e5f7ee10437ea15a8f9c3e1f36d962055c5f7c6fcee05a0743d569d4514fadb6b601

Download Submit
C:\Windows\System\dcvMjuk.exe
MD5
b2f006a31d3fe0b40230f5c1181b4e6a

SHA1
5cc5fd9bea2db2d4669b66667a75419f139ec2f1

SHA256
c6b7f8dcd434370d03a32c0cb5ff27315bddd72e1702a015c3cd6475917085e2

SHA512
1ed3e7c0572a419a7ab0229db0583b2009d21f80bad647938bc6934bd9e26612821fb655ef47c76a4645b4e7cb7acb58635301fc8916b2531dc75cc65d7b782a

Download Submit
C:\Windows\System\jgPbxps.exe
MD5
f18601024531e0320229c3aac19777a4

SHA1
758bd922eba0c0339d678be0485e1d7cf6119287

SHA256
7ac2016f700b19a6fcf88738255c16319e6428da5f7484a5c8d535a79ad5d829

SHA512
baf880392cc8a35a6d3956eebc3bf3e54b5abbfde9db7fcb7ae375c8ce23c6dd48401a2c96423dac6a0d6043bab04a6836c583cef267366d2083c3518972d311

Download Submit
C:\Windows\System\kEDSgzG.exe
MD5
0f8f0bff7957fda51350579ce1e2ce39

SHA1
e98542138aa4a5e64127fdbda2e76a29cb75d4c9

SHA256
76d5bc4adea8d9b313bffeb06e1d666f6915e85c0ef4a1446b0c0991170275e4

SHA512
6e688e4a0f767f9b18e4bae577f4b006309cd10330b9f72462e7775cc27c54dae7f9dab6849deea57f12f8cd4c8ab27f85f8a01f49b9096fd247030b5f840d2c

Download Submit
C:\Windows\System\nmbUZae.exe
MD5
b0bd25f1b717d63e3679a69a1c10a34a

SHA1
08c46f60548180d19f20da0f4d338f3072432d06

SHA256
3684defc8ceac8099d97977989e218485f1388204f5b332c243a8cf175548c7e

SHA512
c078f5ee6f2b74d8498a75557f1694505b803927e3be9011a099bc5fe3acb295d17b87794a8ca3bb0b01d643e41e27af917b3bf02596052731b0e10580ab8b35

Download Submit
C:\Windows\System\nmbUZae.exe
MD5
b0bd25f1b717d63e3679a69a1c10a34a

SHA1
08c46f60548180d19f20da0f4d338f3072432d06

SHA256
3684defc8ceac8099d97977989e218485f1388204f5b332c243a8cf175548c7e

SHA512
c078f5ee6f2b74d8498a75557f1694505b803927e3be9011a099bc5fe3acb295d17b87794a8ca3bb0b01d643e41e27af917b3bf02596052731b0e10580ab8b35

Download Submit
C:\Windows\System\qPQyJYj.exe
MD5
475ea8e072394e2d0b57cd7263602ba0

SHA1
e0ad5065fd747163ed22e3c6d1c7ec0e736b743d

SHA256
1d283e416deb2402f6ec37a83f062ed38bdf5e172a51df688f75b9332dcd3a20

SHA512
e34bf983da1ede85e03161b171ecd0192337e40fc23662edc09bdffae48c164e3e93d9b6fb8a6e50835383bfc3e9d0908ed7580bded7477a35f5eed87f51668c

Download Submit
C:\Windows\System\qeyLEHe.exe
MD5
93769bf8634183cf64223f2ca71dd189

SHA1
57ec05e83d86c8b0d296da13145164f6455d2ee9

SHA256
f234c53ee1b4af3a7555067779c6514f2d84a130fad4c2c4d4a220bfc93b504c

SHA512
655ec739c2ac763ba6801d541cd2b2a90bc9a81f6034f93d533a1dc00659a88152932db7ab48e2d70e6c5001d01cada371daa98c77544d5fc4ce589ef4a8b553

Download Submit
C:\Windows\System\tTGJXZh.exe
MD5
352aa3ea3a4713ff302f33520e3ac97e

SHA1
71421578789c32b86bf6e9053c052e2c790773cf

SHA256
9dc2f8d040537c46577c3ead61296fbf03155020164ed6bbd18241145e3f4bb1

SHA512
6a21a7d9d1938f81cf9f1cb903925e7fd6ed0cd87fa28264de0def48e19cc5cb3d4a059d0c65e0a32d1efc2e0f2a7617bdc9282215efbde7ef111d1ba54ba211

Download Submit
C:\Windows\System\wSrTxlj.exe
MD5
a66fee7c3d033170692f409a24193db1

SHA1
118c94d50a69383d1a970d8717c4e7c3e0101ad5

SHA256
29f5ccf238949abc5d15d82fc0a471339d043b9434ab59fbf112e6506b664354

SHA512
3333a4c674bcd81b9d77c2db6ee5a69581381d8a75039fec8bc21f70d70c2ce9e59f35f6e44681adf910fa566781b2dbf65b810fa9ea2414fd013387613a46aa

Download Submit
C:\Windows\System\weRHJiQ.exe
MD5
e447f2cf419e494a0a20d118b9e50d80

SHA1
12a0e6616c77aba58f8efa5d279a8f6dfe90091a

SHA256
e00652d586c4e6bae9ed2decfe70ef2c24dee0f82be2a382ab9f0a0fe1ee53ad

SHA512
c85cdc99d9f52f74fe3261301bdc12e4cff9a1a551390f2bc759d65ad96fc51fd8ef0592918b0cc6115f025c720d688f24cd21c96e955567d3e4e2d908acd682

Download Submit
memory/192-359-0x000001BCAC0D3000-0x000001BCAC0D5000-memory.dmp

Filesize
8KB

Download
memory/192-358-0x000001BCAC0D0000-0x000001BCAC0D2000-memory.dmp

Filesize
8KB

Download
memory/408-115-0x0000000000000000-mapping.dmp

Download
memory/408-164-0x000001ACEF4C0000-0x000001ACEF4C1000-memory.dmp

Filesize
4KB

Download
memory/652-173-0x0000000000000000-mapping.dmp

Download
memory/1112-116-0x0000000000000000-mapping.dmp

Download
memory/1368-363-0x000001CD2B070000-0x000001CD2B072000-memory.dmp

Filesize
8KB

Download
memory/1368-176-0x0000000000000000-mapping.dmp

Download
memory/1460-122-0x0000000000000000-mapping.dmp

Download
memory/1556-130-0x0000000000000000-mapping.dmp

Download
memory/1560-124-0x0000000000000000-mapping.dmp

Download
memory/1744-114-0x00000192287D0000-0x00000192287E0000-memory.dmp

Filesize
64KB

Download
memory/1788-125-0x0000000000000000-mapping.dmp

Download
memory/1824-180-0x0000000000000000-mapping.dmp

Download
memory/2072-357-0x000001A08A113000-0x000001A08A115000-memory.dmp

Filesize
8KB

Download
memory/2100-175-0x0000000000000000-mapping.dmp

Download
memory/2156-362-0x000001DD9B1C3000-0x000001DD9B1C5000-memory.dmp

Filesize
8KB

Download
memory/2168-298-0x000001EAE8810000-0x000001EAE8812000-memory.dmp

Filesize
8KB

Download
memory/2396-197-0x0000000000000000-mapping.dmp

Download
memory/2696-151-0x0000000000000000-mapping.dmp

Download
memory/2696-360-0x00000249DDB53000-0x00000249DDB55000-memory.dmp

Filesize
8KB

Download
memory/2732-361-0x000001F9D6D53000-0x000001F9D6D55000-memory.dmp

Filesize
8KB

Download
memory/2832-134-0x0000000000000000-mapping.dmp

Download
memory/3372-170-0x0000000000000000-mapping.dmp

Download
memory/3556-156-0x0000000000000000-mapping.dmp

Download
memory/3884-185-0x0000000000000000-mapping.dmp

Download
memory/3948-163-0x0000000000000000-mapping.dmp

Download
memory/4180-207-0x0000000000000000-mapping.dmp

Download
memory/4404-229-0x0000000000000000-mapping.dmp

Download
memory/4796-259-0x0000000000000000-mapping.dmp

Download
memory/5160-288-0x0000000000000000-mapping.dmp

Download
memory/5840-355-0x0000020166540000-0x0000020166542000-memory.dmp

Filesize
8KB

Download
memory/5896-339-0x000002A21BFC3000-0x000002A21BFC5000-memory.dmp

Filesize
8KB

Download
memory/5944-350-0x000001C315873000-0x000001C315875000-memory.dmp

Filesize
8KB

Download
memory/6224-337-0x000001EB3A3E0000-0x000001EB3A3E2000-memory.dmp

Filesize
8KB

Download
memory/6764-356-0x000001C339C60000-0x000001C339C62000-memory.dmp

Filesize
8KB

Download
memory/7212-353-0x0000022338923000-0x0000022338925000-memory.dmp

Filesize
8KB

Download
memory/7520-341-0x0000022368F50000-0x0000022368F52000-memory.dmp

Filesize
8KB

Download
memory/8016-342-0x000001D62FE33000-0x000001D62FE35000-memory.dmp

Filesize
8KB

Download
memory/8340-354-0x000001C530293000-0x000001C530295000-memory.dmp

Filesize
8KB

Download
memory/8696-340-0x0000029A6FEF3000-0x0000029A6FEF5000-memory.dmp

Filesize
8KB

Download
memory/9072-365-0x000001C35BC43000-0x000001C35BC45000-memory.dmp

Filesize
8KB

Download
memory/9540-345-0x000001CC698A0000-0x000001CC698A2000-memory.dmp

Filesize
8KB

Download
memory/10304-367-0x00000162F6820000-0x00000162F6822000-memory.dmp

Filesize
8KB

Download
memory/16008-364-0x00000262C2C50000-0x00000262C2C52000-memory.dmp

Filesize
8KB

Download
memory/17872-368-0x0000022FD6EA0000-0x0000022FD6EA2000-memory.dmp

Filesize
8KB

Download
memory/17872-369-0x0000022FD6EA3000-0x0000022FD6EA5000-memory.dmp

Filesize
8KB

Download
memory/20980-366-0x0000029D77420000-0x0000029D77422000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads