xmrig | f67746e5bff0fa6d9d578f3c81246ec8af9de4899a6e663daa570f4aa94edf43

Analysis

max time kernel
1s
max time network
125s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
14/11/2023, 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f67746e5bff0fa6d9d578f3c81246ec8af9de4899a6e663daa570f4aa94edf43.exe
Size

1.8MB
MD5

eb4c372ee43fc2548d6843f3d02c9797
SHA1

fb0b142f8a6167f1be4701727b5e5e622b751bb4
SHA256

f67746e5bff0fa6d9d578f3c81246ec8af9de4899a6e663daa570f4aa94edf43
SHA512

f745531e7656eff40e7fad491e80ecf93288f10f1509a0239372ff0b47da7350bc1ff09a96377a4095d914e06f605a1dab807b25c5bf390b98ce8ee11d8a276f
SSDEEP

49152:XPujn/TJQ1NLlSqrU5tUE1etEtLlWiTHfeiEA2RQ6zHvyRWMzTb/AxoFIO2:XPcn/TJKSb5tN1etEtLlWiTHfeiEA2RJ

Score

10^/10

xmrig miner

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 55 IoCs

miner

resource	yara_rule
behavioral1/files/0x0009000000012024-6.dat	xmrig
behavioral1/files/0x0009000000012024-8.dat	xmrig
behavioral1/files/0x000c000000003d59-14.dat	xmrig
behavioral1/files/0x000c000000003d59-10.dat	xmrig
behavioral1/files/0x002d000000013a49-12.dat	xmrig
behavioral1/files/0x0008000000015eb5-33.dat	xmrig
behavioral1/files/0x0008000000015eb5-30.dat	xmrig
behavioral1/files/0x0009000000015e0c-36.dat	xmrig
behavioral1/files/0x002b000000015c74-42.dat	xmrig
behavioral1/files/0x0008000000015ec8-55.dat	xmrig
behavioral1/files/0x000800000001626a-65.dat	xmrig
behavioral1/files/0x000800000001626a-61.dat	xmrig
behavioral1/files/0x000800000001210b-64.dat	xmrig
behavioral1/files/0x000700000001605c-53.dat	xmrig
behavioral1/files/0x000700000001605c-50.dat	xmrig
behavioral1/files/0x0008000000015ec8-44.dat	xmrig
behavioral1/files/0x002b000000015c74-40.dat	xmrig
behavioral1/files/0x0009000000015e0c-39.dat	xmrig
behavioral1/files/0x002d000000013a49-24.dat	xmrig
behavioral1/files/0x002d000000013a49-21.dat	xmrig
behavioral1/files/0x0007000000016c26-81.dat	xmrig
behavioral1/files/0x0007000000016ae6-73.dat	xmrig
behavioral1/files/0x0006000000016ce8-112.dat	xmrig
behavioral1/files/0x0007000000016cbf-97.dat	xmrig
behavioral1/files/0x0006000000016c36-93.dat	xmrig
behavioral1/files/0x0006000000016ce0-108.dat	xmrig
behavioral1/files/0x000800000001210b-80.dat	xmrig
behavioral1/files/0x0006000000016ce0-104.dat	xmrig
behavioral1/files/0x0006000000016c2c-100.dat	xmrig
behavioral1/files/0x0007000000016c26-90.dat	xmrig
behavioral1/files/0x0007000000016ae6-89.dat	xmrig
behavioral1/files/0x0006000000016c2c-77.dat	xmrig
behavioral1/files/0x0007000000016ca4-130.dat	xmrig
behavioral1/files/0x0007000000016baa-138.dat	xmrig
behavioral1/files/0x0006000000016ce8-116.dat	xmrig
behavioral1/files/0x0007000000016baa-126.dat	xmrig
behavioral1/files/0x0007000000016d01-136.dat	xmrig
behavioral1/files/0x0007000000016d01-133.dat	xmrig
behavioral1/files/0x00070000000167f7-124.dat	xmrig
behavioral1/files/0x0007000000016cbf-122.dat	xmrig
behavioral1/files/0x0006000000016c36-110.dat	xmrig
behavioral1/files/0x00070000000167f7-101.dat	xmrig
behavioral1/files/0x0007000000016ca4-140.dat	xmrig
behavioral1/files/0x0006000000016fe3-183.dat	xmrig
behavioral1/files/0x0007000000016d28-178.dat	xmrig
behavioral1/files/0x0006000000016d85-180.dat	xmrig
behavioral1/files/0x0006000000016d80-175.dat	xmrig
behavioral1/files/0x0007000000016d28-169.dat	xmrig
behavioral1/files/0x0006000000016d78-172.dat	xmrig
behavioral1/files/0x0006000000016d64-166.dat	xmrig
behavioral1/files/0x0006000000016d05-164.dat	xmrig
behavioral1/files/0x0006000000016d05-155.dat	xmrig
behavioral1/files/0x0006000000016d78-190.dat	xmrig
behavioral1/files/0x0006000000016d80-188.dat	xmrig
behavioral1/files/0x0006000000016d64-186.dat	xmrig

Executes dropped EXE 6 IoCs

pid	Process
2692	qBYBAgC.exe
2740	OYDTcSe.exe
2000	KCnGGDW.exe
2016	abkzsNP.exe
3044	ExTXHLQ.exe
1816	HwzoEXu.exe

Loads dropped DLL 7 IoCs

pid	Process
2628	f67746e5bff0fa6d9d578f3c81246ec8af9de4899a6e663daa570f4aa94edf43.exe
2628	f67746e5bff0fa6d9d578f3c81246ec8af9de4899a6e663daa570f4aa94edf43.exe
2628	f67746e5bff0fa6d9d578f3c81246ec8af9de4899a6e663daa570f4aa94edf43.exe
2628	f67746e5bff0fa6d9d578f3c81246ec8af9de4899a6e663daa570f4aa94edf43.exe
2628	f67746e5bff0fa6d9d578f3c81246ec8af9de4899a6e663daa570f4aa94edf43.exe
2628	f67746e5bff0fa6d9d578f3c81246ec8af9de4899a6e663daa570f4aa94edf43.exe
2628	f67746e5bff0fa6d9d578f3c81246ec8af9de4899a6e663daa570f4aa94edf43.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\System\HwzoEXu.exe	f67746e5bff0fa6d9d578f3c81246ec8af9de4899a6e663daa570f4aa94edf43.exe
File created	C:\Windows\System\XAnIVdL.exe	f67746e5bff0fa6d9d578f3c81246ec8af9de4899a6e663daa570f4aa94edf43.exe
File created	C:\Windows\System\qBYBAgC.exe	f67746e5bff0fa6d9d578f3c81246ec8af9de4899a6e663daa570f4aa94edf43.exe
File created	C:\Windows\System\OYDTcSe.exe	f67746e5bff0fa6d9d578f3c81246ec8af9de4899a6e663daa570f4aa94edf43.exe
File created	C:\Windows\System\KCnGGDW.exe	f67746e5bff0fa6d9d578f3c81246ec8af9de4899a6e663daa570f4aa94edf43.exe
File created	C:\Windows\System\abkzsNP.exe	f67746e5bff0fa6d9d578f3c81246ec8af9de4899a6e663daa570f4aa94edf43.exe
File created	C:\Windows\System\ExTXHLQ.exe	f67746e5bff0fa6d9d578f3c81246ec8af9de4899a6e663daa570f4aa94edf43.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 2628 wrote to memory of 2688	2628	f67746e5bff0fa6d9d578f3c81246ec8af9de4899a6e663daa570f4aa94edf43.exe	29
PID 2628 wrote to memory of 2688	2628	f67746e5bff0fa6d9d578f3c81246ec8af9de4899a6e663daa570f4aa94edf43.exe	29
PID 2628 wrote to memory of 2688	2628	f67746e5bff0fa6d9d578f3c81246ec8af9de4899a6e663daa570f4aa94edf43.exe	29
PID 2628 wrote to memory of 2692	2628	f67746e5bff0fa6d9d578f3c81246ec8af9de4899a6e663daa570f4aa94edf43.exe	30
PID 2628 wrote to memory of 2692	2628	f67746e5bff0fa6d9d578f3c81246ec8af9de4899a6e663daa570f4aa94edf43.exe	30
PID 2628 wrote to memory of 2692	2628	f67746e5bff0fa6d9d578f3c81246ec8af9de4899a6e663daa570f4aa94edf43.exe	30
PID 2628 wrote to memory of 2740	2628	f67746e5bff0fa6d9d578f3c81246ec8af9de4899a6e663daa570f4aa94edf43.exe	31
PID 2628 wrote to memory of 2740	2628	f67746e5bff0fa6d9d578f3c81246ec8af9de4899a6e663daa570f4aa94edf43.exe	31
PID 2628 wrote to memory of 2740	2628	f67746e5bff0fa6d9d578f3c81246ec8af9de4899a6e663daa570f4aa94edf43.exe	31
PID 2740 wrote to memory of 2564	2740	OYDTcSe.exe	32
PID 2740 wrote to memory of 2564	2740	OYDTcSe.exe	32
PID 2740 wrote to memory of 2564	2740	OYDTcSe.exe	32
PID 2692 wrote to memory of 2572	2692	qBYBAgC.exe	33
PID 2692 wrote to memory of 2572	2692	qBYBAgC.exe	33
PID 2692 wrote to memory of 2572	2692	qBYBAgC.exe	33
PID 2628 wrote to memory of 2000	2628	f67746e5bff0fa6d9d578f3c81246ec8af9de4899a6e663daa570f4aa94edf43.exe	34
PID 2628 wrote to memory of 2000	2628	f67746e5bff0fa6d9d578f3c81246ec8af9de4899a6e663daa570f4aa94edf43.exe	34
PID 2628 wrote to memory of 2000	2628	f67746e5bff0fa6d9d578f3c81246ec8af9de4899a6e663daa570f4aa94edf43.exe	34
PID 2628 wrote to memory of 2016	2628	f67746e5bff0fa6d9d578f3c81246ec8af9de4899a6e663daa570f4aa94edf43.exe	35
PID 2628 wrote to memory of 2016	2628	f67746e5bff0fa6d9d578f3c81246ec8af9de4899a6e663daa570f4aa94edf43.exe	35
PID 2628 wrote to memory of 2016	2628	f67746e5bff0fa6d9d578f3c81246ec8af9de4899a6e663daa570f4aa94edf43.exe	35
PID 2016 wrote to memory of 1192	2016	abkzsNP.exe	50
PID 2016 wrote to memory of 1192	2016	abkzsNP.exe	50
PID 2016 wrote to memory of 1192	2016	abkzsNP.exe	50
PID 2000 wrote to memory of 2344	2000	KCnGGDW.exe	36
PID 2000 wrote to memory of 2344	2000	KCnGGDW.exe	36
PID 2000 wrote to memory of 2344	2000	KCnGGDW.exe	36
PID 2628 wrote to memory of 3044	2628	f67746e5bff0fa6d9d578f3c81246ec8af9de4899a6e663daa570f4aa94edf43.exe	37
PID 2628 wrote to memory of 3044	2628	f67746e5bff0fa6d9d578f3c81246ec8af9de4899a6e663daa570f4aa94edf43.exe	37
PID 2628 wrote to memory of 3044	2628	f67746e5bff0fa6d9d578f3c81246ec8af9de4899a6e663daa570f4aa94edf43.exe	37
PID 2628 wrote to memory of 1816	2628	f67746e5bff0fa6d9d578f3c81246ec8af9de4899a6e663daa570f4aa94edf43.exe	49
PID 2628 wrote to memory of 1816	2628	f67746e5bff0fa6d9d578f3c81246ec8af9de4899a6e663daa570f4aa94edf43.exe	49
PID 2628 wrote to memory of 1816	2628	f67746e5bff0fa6d9d578f3c81246ec8af9de4899a6e663daa570f4aa94edf43.exe	49
PID 2628 wrote to memory of 2860	2628	f67746e5bff0fa6d9d578f3c81246ec8af9de4899a6e663daa570f4aa94edf43.exe	48

C:\Users\Admin\AppData\Local\Temp\f67746e5bff0fa6d9d578f3c81246ec8af9de4899a6e663daa570f4aa94edf43.exe
"C:\Users\Admin\AppData\Local\Temp\f67746e5bff0fa6d9d578f3c81246ec8af9de4899a6e663daa570f4aa94edf43.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
  2⤵
  PID:2688
- C:\Windows\System\qBYBAgC.exe
  C:\Windows\System\qBYBAgC.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:2572
- C:\Windows\System\OYDTcSe.exe
  C:\Windows\System\OYDTcSe.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:2564
- C:\Windows\System\KCnGGDW.exe
  C:\Windows\System\KCnGGDW.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:2344
- C:\Windows\System\abkzsNP.exe
  C:\Windows\System\abkzsNP.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:1192
- C:\Windows\System\ExTXHLQ.exe
  C:\Windows\System\ExTXHLQ.exe
  2⤵
  - Executes dropped EXE
  PID:3044
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:1564
- C:\Windows\System\YjuPPns.exe
  C:\Windows\System\YjuPPns.exe
  2⤵
  PID:536
- C:\Windows\System\tgpDvwh.exe
  C:\Windows\System\tgpDvwh.exe
  2⤵
  PID:1416
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:1976
- C:\Windows\System\mnUvzAd.exe
  C:\Windows\System\mnUvzAd.exe
  2⤵
  PID:284
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:2852
- C:\Windows\System\xeCDCjM.exe
  C:\Windows\System\xeCDCjM.exe
  2⤵
  PID:1528
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:1464
- C:\Windows\System\nfAHLmh.exe
  C:\Windows\System\nfAHLmh.exe
  2⤵
  PID:2196
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:1960
- C:\Windows\System\OrmvXyP.exe
  C:\Windows\System\OrmvXyP.exe
  2⤵
  PID:1600
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:2836
- C:\Windows\System\GYLEuoI.exe
  C:\Windows\System\GYLEuoI.exe
  2⤵
  PID:2904
- C:\Windows\System\XAnIVdL.exe
  C:\Windows\System\XAnIVdL.exe
  2⤵
  PID:2860
- C:\Windows\System\HwzoEXu.exe
  C:\Windows\System\HwzoEXu.exe
  2⤵
  - Executes dropped EXE
  PID:1816
- C:\Windows\System\RBvTUIE.exe
  C:\Windows\System\RBvTUIE.exe
  2⤵
  PID:2100
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:908
- C:\Windows\System\pCEsVGo.exe
  C:\Windows\System\pCEsVGo.exe
  2⤵
  PID:1756
- C:\Windows\System\AwhvjVk.exe
  C:\Windows\System\AwhvjVk.exe
  2⤵
  PID:1360
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:2956
- C:\Windows\System\kaXRYfm.exe
  C:\Windows\System\kaXRYfm.exe
  2⤵
  PID:1928
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:2392
- C:\Windows\System\tHIvErt.exe
  C:\Windows\System\tHIvErt.exe
  2⤵
  PID:2404
- C:\Windows\System\ZaPhQNU.exe
  C:\Windows\System\ZaPhQNU.exe
  2⤵
  PID:848
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:1316
- C:\Windows\System\JwZTgXp.exe
  C:\Windows\System\JwZTgXp.exe
  2⤵
  PID:2092
- C:\Windows\System\blBwMOV.exe
  C:\Windows\System\blBwMOV.exe
  2⤵
  PID:1808
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:788
- C:\Windows\System\mutEoDY.exe
  C:\Windows\System\mutEoDY.exe
  2⤵
  PID:2044
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:1440
- C:\Windows\System\gJClkzd.exe
  C:\Windows\System\gJClkzd.exe
  2⤵
  PID:1480
- C:\Windows\System\bRLluKx.exe
  C:\Windows\System\bRLluKx.exe
  2⤵
  PID:1784
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:2796
- C:\Windows\System\ndSWHoV.exe
  C:\Windows\System\ndSWHoV.exe
  2⤵
  PID:892
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:2584
- C:\Windows\System\ciHhJaV.exe
  C:\Windows\System\ciHhJaV.exe
  2⤵
  PID:2164
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:2760
- C:\Windows\System\FNNkllm.exe
  C:\Windows\System\FNNkllm.exe
  2⤵
  PID:560
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:2948
- C:\Windows\System\MAJkDOX.exe
  C:\Windows\System\MAJkDOX.exe
  2⤵
  PID:2356
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:1296
- C:\Windows\System\GfdDeOC.exe
  C:\Windows\System\GfdDeOC.exe
  2⤵
  PID:1236
- C:\Windows\System\ldqwGfw.exe
  C:\Windows\System\ldqwGfw.exe
  2⤵
  PID:1052
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:1752
- C:\Windows\System\pTUtknw.exe
  C:\Windows\System\pTUtknw.exe
  2⤵
  PID:1916
- C:\Windows\System\SIbVBeJ.exe
  C:\Windows\System\SIbVBeJ.exe
  2⤵
  PID:296
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:2428
- C:\Windows\System\cyUXEii.exe
  C:\Windows\System\cyUXEii.exe
  2⤵
  PID:2888
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:2416
- C:\Windows\System\kuovVUN.exe
  C:\Windows\System\kuovVUN.exe
  2⤵
  PID:2872
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:2960
- C:\Windows\System\FzSZbfM.exe
  C:\Windows\System\FzSZbfM.exe
  2⤵
  PID:2612
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:1668
- C:\Windows\System\lscZeYE.exe
  C:\Windows\System\lscZeYE.exe
  2⤵
  PID:2588
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:328
- C:\Windows\System\XQclXXx.exe
  C:\Windows\System\XQclXXx.exe
  2⤵
  PID:2088
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:2840
- C:\Windows\System\fdryfoi.exe
  C:\Windows\System\fdryfoi.exe
  2⤵
  PID:2512
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:1016
- C:\Windows\System\sEdjUQO.exe
  C:\Windows\System\sEdjUQO.exe
  2⤵
  PID:2596
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:1028
- C:\Windows\System\jdfXSIL.exe
  C:\Windows\System\jdfXSIL.exe
  2⤵
  PID:1468
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:1912
- C:\Windows\System\JPosJao.exe
  C:\Windows\System\JPosJao.exe
  2⤵
  PID:700
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:2340
- C:\Windows\System\UiQrGMn.exe
  C:\Windows\System\UiQrGMn.exe
  2⤵
  PID:996
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:3016
- C:\Windows\System\GwdqEjF.exe
  C:\Windows\System\GwdqEjF.exe
  2⤵
  PID:2880
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:2756
- C:\Windows\System\vUncCmY.exe
  C:\Windows\System\vUncCmY.exe
  2⤵
  PID:2844
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:568
- C:\Windows\System\FebsNlH.exe
  C:\Windows\System\FebsNlH.exe
  2⤵
  PID:3028
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:1556
- C:\Windows\System\EKiRahF.exe
  C:\Windows\System\EKiRahF.exe
  2⤵
  PID:1432
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:2144
- C:\Windows\System\gdTABmx.exe
  C:\Windows\System\gdTABmx.exe
  2⤵
  PID:2448
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:1212
- C:\Windows\System\jlXtkNU.exe
  C:\Windows\System\jlXtkNU.exe
  2⤵
  PID:1768
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:652
- C:\Windows\System\gLMawSl.exe
  C:\Windows\System\gLMawSl.exe
  2⤵
  PID:1644
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:1064
- C:\Windows\System\kZJIMOF.exe
  C:\Windows\System\kZJIMOF.exe
  2⤵
  PID:2600
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:588
- C:\Windows\System\DowsMwl.exe
  C:\Windows\System\DowsMwl.exe
  2⤵
  PID:3076
- C:\Windows\System\EDuEMZu.exe
  C:\Windows\System\EDuEMZu.exe
  2⤵
  PID:3288
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:3488
- C:\Windows\System\VFHDCBo.exe
  C:\Windows\System\VFHDCBo.exe
  2⤵
  PID:3272
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:3664
- C:\Windows\System\toBuDAn.exe
  C:\Windows\System\toBuDAn.exe
  2⤵
  PID:3256
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:3480
- C:\Windows\System\GJsdcyk.exe
  C:\Windows\System\GJsdcyk.exe
  2⤵
  PID:3348
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:3684
- C:\Windows\System\LNVQdkt.exe
  C:\Windows\System\LNVQdkt.exe
  2⤵
  PID:3328
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:3504
- C:\Windows\System\lQehaWH.exe
  C:\Windows\System\lQehaWH.exe
  2⤵
  PID:3644
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:3988
- C:\Windows\System\tOpOaFZ.exe
  C:\Windows\System\tOpOaFZ.exe
  2⤵
  PID:3628
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:4004
- C:\Windows\System\YDvXqnH.exe
  C:\Windows\System\YDvXqnH.exe
  2⤵
  PID:3612
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:3996
- C:\Windows\System\fLUHOGp.exe
  C:\Windows\System\fLUHOGp.exe
  2⤵
  PID:3596
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:3956
- C:\Windows\System\jfdjvRG.exe
  C:\Windows\System\jfdjvRG.exe
  2⤵
  PID:3580
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:3908
- C:\Windows\System\uuVMIEv.exe
  C:\Windows\System\uuVMIEv.exe
  2⤵
  PID:3564
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:3964
- C:\Windows\System\irUNdFp.exe
  C:\Windows\System\irUNdFp.exe
  2⤵
  PID:3548
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:3928
- C:\Windows\System\PvQFhWe.exe
  C:\Windows\System\PvQFhWe.exe
  2⤵
  PID:3532
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:3976
- C:\Windows\System\zKCEeyB.exe
  C:\Windows\System\zKCEeyB.exe
  2⤵
  PID:3516
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:3944
- C:\Windows\System\lmJAXoe.exe
  C:\Windows\System\lmJAXoe.exe
  2⤵
  PID:3312
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:3708
- C:\Windows\System\cIlXDjm.exe
  C:\Windows\System\cIlXDjm.exe
  2⤵
  PID:3240
- C:\Windows\System\xETmJks.exe
  C:\Windows\System\xETmJks.exe
  2⤵
  PID:3224
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:3676
- C:\Windows\System\fATQvrI.exe
  C:\Windows\System\fATQvrI.exe
  2⤵
  PID:3208
- C:\Windows\System\SLMIsdf.exe
  C:\Windows\System\SLMIsdf.exe
  2⤵
  PID:3192
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:3692
- C:\Windows\System\ofXZmEc.exe
  C:\Windows\System\ofXZmEc.exe
  2⤵
  PID:3176
- C:\Windows\System\CFEtVnA.exe
  C:\Windows\System\CFEtVnA.exe
  2⤵
  PID:3160
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:3700
- C:\Windows\System\rEOltnd.exe
  C:\Windows\System\rEOltnd.exe
  2⤵
  PID:3144
- C:\Windows\System\WrdbgBa.exe
  C:\Windows\System\WrdbgBa.exe
  2⤵
  PID:3128
- C:\Windows\System\EOZBYvY.exe
  C:\Windows\System\EOZBYvY.exe
  2⤵
  PID:3112
- C:\Windows\System\gLChXaW.exe
  C:\Windows\System\gLChXaW.exe
  2⤵
  PID:3096
- C:\Windows\System\kYlNDnr.exe
  C:\Windows\System\kYlNDnr.exe
  2⤵
  PID:3780
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:4016
- C:\Windows\System\NdzTiIg.exe
  C:\Windows\System\NdzTiIg.exe
  2⤵
  PID:3888
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:4024
- C:\Windows\System\sfrBRee.exe
  C:\Windows\System\sfrBRee.exe
  2⤵
  PID:4036
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:3216
- C:\Windows\System\PLntQOt.exe
  C:\Windows\System\PLntQOt.exe
  2⤵
  PID:3556
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:3572
- C:\Windows\System\YLmJkEx.exe
  C:\Windows\System\YLmJkEx.exe
  2⤵
  PID:3872
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:4060
- C:\Windows\System\LraoTTs.exe
  C:\Windows\System\LraoTTs.exe
  2⤵
  PID:3788
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:4440
- C:\Windows\System\pECtOFT.exe
  C:\Windows\System\pECtOFT.exe
  2⤵
  PID:3760
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:5456
- C:\Windows\System\VhCLeCV.exe
  C:\Windows\System\VhCLeCV.exe
  2⤵
  PID:3752
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:3900
- C:\Windows\System\XIfuwEu.exe
  C:\Windows\System\XIfuwEu.exe
  2⤵
  PID:4272
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:5512
- C:\Windows\System\eCWSCch.exe
  C:\Windows\System\eCWSCch.exe
  2⤵
  PID:4256
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:5480
- C:\Windows\System\VrTowXk.exe
  C:\Windows\System\VrTowXk.exe
  2⤵
  PID:4240
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:5520
- C:\Windows\System\vKsJPKD.exe
  C:\Windows\System\vKsJPKD.exe
  2⤵
  PID:4224
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:5268
- C:\Windows\System\LQUWxbi.exe
  C:\Windows\System\LQUWxbi.exe
  2⤵
  PID:4208
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:5400
- C:\Windows\System\YantZxp.exe
  C:\Windows\System\YantZxp.exe
  2⤵
  PID:4192
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:5464
- C:\Windows\System\QTHwGUt.exe
  C:\Windows\System\QTHwGUt.exe
  2⤵
  PID:4176
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:4756
- C:\Windows\System\sXVpHrA.exe
  C:\Windows\System\sXVpHrA.exe
  2⤵
  PID:4160
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:4364
- C:\Windows\System\AsdDnyr.exe
  C:\Windows\System\AsdDnyr.exe
  2⤵
  PID:4144
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:4764
- C:\Windows\System\gGuAuYF.exe
  C:\Windows\System\gGuAuYF.exe
  2⤵
  PID:4128
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:4788
- C:\Windows\System\GiUjfXx.exe
  C:\Windows\System\GiUjfXx.exe
  2⤵
  PID:4112
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:4772
- C:\Windows\System\zyJMpaT.exe
  C:\Windows\System\zyJMpaT.exe
  2⤵
  PID:3456
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:4796
- C:\Windows\System\gorpuRT.exe
  C:\Windows\System\gorpuRT.exe
  2⤵
  PID:3560
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:4780
- C:\Windows\System\fHQmYUg.exe
  C:\Windows\System\fHQmYUg.exe
  2⤵
  PID:3592
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:4804
- C:\Windows\System\cquhzZp.exe
  C:\Windows\System\cquhzZp.exe
  2⤵
  PID:3136
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:4748
- C:\Windows\System\gwgFabW.exe
  C:\Windows\System\gwgFabW.exe
  2⤵
  PID:4368
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:5504
- C:\Windows\System\CNODMGo.exe
  C:\Windows\System\CNODMGo.exe
  2⤵
  PID:4352
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:5488
- C:\Windows\System\BavArPX.exe
  C:\Windows\System\BavArPX.exe
  2⤵
  PID:4336
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:4332
- C:\Windows\System\DRTSLeM.exe
  C:\Windows\System\DRTSLeM.exe
  2⤵
  PID:4292
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:5392
- C:\Windows\System\AiYGuqe.exe
  C:\Windows\System\AiYGuqe.exe
  2⤵
  PID:4392
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:5496
- C:\Windows\System\tYyXeCV.exe
  C:\Windows\System\tYyXeCV.exe
  2⤵
  PID:4700
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:5632
- C:\Windows\System\sTjILPS.exe
  C:\Windows\System\sTjILPS.exe
  2⤵
  PID:4684
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:5668
- C:\Windows\System\PudVluW.exe
  C:\Windows\System\PudVluW.exe
  2⤵
  PID:4668
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:5584
- C:\Windows\System\qXzBHtu.exe
  C:\Windows\System\qXzBHtu.exe
  2⤵
  PID:4652
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:5628
- C:\Windows\System\MbMMmGD.exe
  C:\Windows\System\MbMMmGD.exe
  2⤵
  PID:4636
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:4324
- C:\Windows\System\VPUrYUo.exe
  C:\Windows\System\VPUrYUo.exe
  2⤵
  PID:4620
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:5716
- C:\Windows\System\xvmDqEJ.exe
  C:\Windows\System\xvmDqEJ.exe
  2⤵
  PID:4604
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:5408
- C:\Windows\System\VlldEzs.exe
  C:\Windows\System\VlldEzs.exe
  2⤵
  PID:4588
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:5692
- C:\Windows\System\FftwIuz.exe
  C:\Windows\System\FftwIuz.exe
  2⤵
  PID:4572
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:5472
- C:\Windows\System\NDGjnVS.exe
  C:\Windows\System\NDGjnVS.exe
  2⤵
  PID:4556
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:5616
- C:\Windows\System\KgIMOHb.exe
  C:\Windows\System\KgIMOHb.exe
  2⤵
  PID:4540
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:5440
- C:\Windows\System\cSQgbJK.exe
  C:\Windows\System\cSQgbJK.exe
  2⤵
  PID:4524
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:5608
- C:\Windows\System\kSdCUXA.exe
  C:\Windows\System\kSdCUXA.exe
  2⤵
  PID:4508
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:5432
- C:\Windows\System\KVvOVcs.exe
  C:\Windows\System\KVvOVcs.exe
  2⤵
  PID:4716
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:5676
- C:\Windows\System\YEQtvVp.exe
  C:\Windows\System\YEQtvVp.exe
  2⤵
  PID:4492
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:5568
- C:\Windows\System\OHtEzcH.exe
  C:\Windows\System\OHtEzcH.exe
  2⤵
  PID:4476
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:5448
- C:\Windows\System\kKIwEgc.exe
  C:\Windows\System\kKIwEgc.exe
  2⤵
  PID:4460
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:5320
- C:\Windows\System\IikTWTb.exe
  C:\Windows\System\IikTWTb.exe
  2⤵
  PID:4444
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:5560
- C:\Windows\System\sddaGXN.exe
  C:\Windows\System\sddaGXN.exe
  2⤵
  PID:4428
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:5528
- C:\Windows\System\pPVwsEP.exe
  C:\Windows\System\pPVwsEP.exe
  2⤵
  PID:4732
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:5644
- C:\Windows\System\KOncQTP.exe
  C:\Windows\System\KOncQTP.exe
  2⤵
  PID:4916
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:5600
- C:\Windows\System\SVIvLdr.exe
  C:\Windows\System\SVIvLdr.exe
  2⤵
  PID:5068
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:5684
- C:\Windows\System\sIcwwiH.exe
  C:\Windows\System\sIcwwiH.exe
  2⤵
  PID:4348
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:5652
- C:\Windows\System\mttcixs.exe
  C:\Windows\System\mttcixs.exe
  2⤵
  PID:4420
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:5708
- C:\Windows\System\FAqtirm.exe
  C:\Windows\System\FAqtirm.exe
  2⤵
  PID:5052
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:5660
- C:\Windows\System\xfGdDeJ.exe
  C:\Windows\System\xfGdDeJ.exe
  2⤵
  PID:4516
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:5700
- C:\Windows\System\prZptlj.exe
  C:\Windows\System\prZptlj.exe
  2⤵
  PID:4316
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:5728
- C:\Windows\System\HyTRxKy.exe
  C:\Windows\System\HyTRxKy.exe
  2⤵
  PID:5188
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:5964
- C:\Windows\System\njpVwoR.exe
  C:\Windows\System\njpVwoR.exe
  2⤵
  PID:5228
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:5992
- C:\Windows\System\pnagPwt.exe
  C:\Windows\System\pnagPwt.exe
  2⤵
  PID:5784
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:5912
- C:\Windows\System\hylIqGI.exe
  C:\Windows\System\hylIqGI.exe
  2⤵
  PID:6052
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
    3⤵
    PID:3852
- C:\Windows\System\dkYtoGU.exe
  C:\Windows\System\dkYtoGU.exe
  2⤵
  PID:2108
- C:\Windows\System\XawjUiG.exe
  C:\Windows\System\XawjUiG.exe
  2⤵
  PID:3880

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:804

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:2260

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:2204

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:3472

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:3464

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:3448

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:3440

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:3420

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:3412

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -command "Invoke-WebRequest "https://raw.githubusercontent.com/" "
1⤵
PID:3496

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
500ab4ea572f520cb0dafec529e738fc

SHA1
5aaee65cbe2dbbcf6a7630ddea3cb3eb0236ea76

SHA256
d666bdc22d58cbc207bfbcf6221a3895ead0070e594505cabaa0b8db51f4486f

SHA512
6b5539933e72ffd137756581d6141efa88efaa949dd28d6c8324dbcb88d930543cf120771dac97116faac3d771854ac9d170f5c5cef6cb319fdca03c9c72f27f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
500ab4ea572f520cb0dafec529e738fc

SHA1
5aaee65cbe2dbbcf6a7630ddea3cb3eb0236ea76

SHA256
d666bdc22d58cbc207bfbcf6221a3895ead0070e594505cabaa0b8db51f4486f

SHA512
6b5539933e72ffd137756581d6141efa88efaa949dd28d6c8324dbcb88d930543cf120771dac97116faac3d771854ac9d170f5c5cef6cb319fdca03c9c72f27f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
500ab4ea572f520cb0dafec529e738fc

SHA1
5aaee65cbe2dbbcf6a7630ddea3cb3eb0236ea76

SHA256
d666bdc22d58cbc207bfbcf6221a3895ead0070e594505cabaa0b8db51f4486f

SHA512
6b5539933e72ffd137756581d6141efa88efaa949dd28d6c8324dbcb88d930543cf120771dac97116faac3d771854ac9d170f5c5cef6cb319fdca03c9c72f27f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
500ab4ea572f520cb0dafec529e738fc

SHA1
5aaee65cbe2dbbcf6a7630ddea3cb3eb0236ea76

SHA256
d666bdc22d58cbc207bfbcf6221a3895ead0070e594505cabaa0b8db51f4486f

SHA512
6b5539933e72ffd137756581d6141efa88efaa949dd28d6c8324dbcb88d930543cf120771dac97116faac3d771854ac9d170f5c5cef6cb319fdca03c9c72f27f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
500ab4ea572f520cb0dafec529e738fc

SHA1
5aaee65cbe2dbbcf6a7630ddea3cb3eb0236ea76

SHA256
d666bdc22d58cbc207bfbcf6221a3895ead0070e594505cabaa0b8db51f4486f

SHA512
6b5539933e72ffd137756581d6141efa88efaa949dd28d6c8324dbcb88d930543cf120771dac97116faac3d771854ac9d170f5c5cef6cb319fdca03c9c72f27f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
500ab4ea572f520cb0dafec529e738fc

SHA1
5aaee65cbe2dbbcf6a7630ddea3cb3eb0236ea76

SHA256
d666bdc22d58cbc207bfbcf6221a3895ead0070e594505cabaa0b8db51f4486f

SHA512
6b5539933e72ffd137756581d6141efa88efaa949dd28d6c8324dbcb88d930543cf120771dac97116faac3d771854ac9d170f5c5cef6cb319fdca03c9c72f27f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
500ab4ea572f520cb0dafec529e738fc

SHA1
5aaee65cbe2dbbcf6a7630ddea3cb3eb0236ea76

SHA256
d666bdc22d58cbc207bfbcf6221a3895ead0070e594505cabaa0b8db51f4486f

SHA512
6b5539933e72ffd137756581d6141efa88efaa949dd28d6c8324dbcb88d930543cf120771dac97116faac3d771854ac9d170f5c5cef6cb319fdca03c9c72f27f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
500ab4ea572f520cb0dafec529e738fc

SHA1
5aaee65cbe2dbbcf6a7630ddea3cb3eb0236ea76

SHA256
d666bdc22d58cbc207bfbcf6221a3895ead0070e594505cabaa0b8db51f4486f

SHA512
6b5539933e72ffd137756581d6141efa88efaa949dd28d6c8324dbcb88d930543cf120771dac97116faac3d771854ac9d170f5c5cef6cb319fdca03c9c72f27f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
500ab4ea572f520cb0dafec529e738fc

SHA1
5aaee65cbe2dbbcf6a7630ddea3cb3eb0236ea76

SHA256
d666bdc22d58cbc207bfbcf6221a3895ead0070e594505cabaa0b8db51f4486f

SHA512
6b5539933e72ffd137756581d6141efa88efaa949dd28d6c8324dbcb88d930543cf120771dac97116faac3d771854ac9d170f5c5cef6cb319fdca03c9c72f27f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
500ab4ea572f520cb0dafec529e738fc

SHA1
5aaee65cbe2dbbcf6a7630ddea3cb3eb0236ea76

SHA256
d666bdc22d58cbc207bfbcf6221a3895ead0070e594505cabaa0b8db51f4486f

SHA512
6b5539933e72ffd137756581d6141efa88efaa949dd28d6c8324dbcb88d930543cf120771dac97116faac3d771854ac9d170f5c5cef6cb319fdca03c9c72f27f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\D2GT0AIO8DTR82ESA9PF.temp

Filesize
7KB

MD5
500ab4ea572f520cb0dafec529e738fc

SHA1
5aaee65cbe2dbbcf6a7630ddea3cb3eb0236ea76

SHA256
d666bdc22d58cbc207bfbcf6221a3895ead0070e594505cabaa0b8db51f4486f

SHA512
6b5539933e72ffd137756581d6141efa88efaa949dd28d6c8324dbcb88d930543cf120771dac97116faac3d771854ac9d170f5c5cef6cb319fdca03c9c72f27f

Download Submit
C:\Windows\system\AwhvjVk.exe

Filesize
1.8MB

MD5
ccc1a07963ebf501b9be0b8946abdf26

SHA1
af160422fbf8e3a4091ccd3a15748b610c9d0bdc

SHA256
73c10e6919b9ceff8d2e03ddb873175a364d69bf52d87b7454b7fc97e0625a3a

SHA512
f6952f427ada706957ed9ea06587069373b833dde885c69a6f68bda6176a77f20b7a71387ba4af8a879438a570c71d3aab5d3e22e86f64325134e047a339197b

Download Submit
C:\Windows\system\ExTXHLQ.exe

Filesize
1.8MB

MD5
547387b346c9490a9ec4b5b6f4fa6f66

SHA1
0bd28302669c9a58496e2b26b0a384556f5907a9

SHA256
f335fa3254415c6b08aae5b274ea9cba5f19d6aa02a5e4eb2868542de90f7e4a

SHA512
6e50c9ee7c8ff4e933c2d6d2fc8d42964c426ee1ab6908bd930c6db19e19bdc021c685f4d341a4fb44f63e3da947d3fb456705f89411a79d4c43559777c742ee

Download Submit
C:\Windows\system\FNNkllm.exe

Filesize
1.8MB

MD5
efe2aa25735213d2b16793f4c8a2784f

SHA1
3da5134777db18a6a599a4b93065f9687347bf6c

SHA256
484110c67d261dadb22650de5fdef05dcd4d58dde43279cf1b1967a152acf6a1

SHA512
96d6ef46c22d7bfe3968745d638ca6bda4e03bf06747cc87d1508725989b890caba1554fbf8c1333b308322408d3632c888d2742cc5b55ba5ea5f9de592bfeb8

Download Submit
C:\Windows\system\GYLEuoI.exe

Filesize
1.8MB

MD5
668745a3f377344445cd0f4d43f9b43d

SHA1
a8e4998a00133a4245023ff31bd400ac83e5da85

SHA256
0ca99fcb8875f91caa9a1abe45db04a50c5e7bfc29c01f51947f1ab48a1cab37

SHA512
73ef3a279c012fbf23e85647e48612172a4d15de75c75490a80c8eac3b2a395c11f18ed8cb9be1413c20235775eba624bc63aa006a27f05103c7c55ac4c82bb1

Download Submit
C:\Windows\system\GfdDeOC.exe

Filesize
1.8MB

MD5
333abcd29b4fbdeb366a6bf6ff510730

SHA1
4532a50903d2222ce66bc2d5b64859b448e467dc

SHA256
8d0a3551b6242072455ce7a1ded9ffe104081bbb645596a7d0898ed729afb1c4

SHA512
01025e78871f07eaea89854c0e6dc62f8b19a6bc38ce33b88f5bda1221c9d24db6661a5c03c455f56435235b26349683a4bab95a442a66613794d3d5a621be6a

Download Submit
C:\Windows\system\HwzoEXu.exe

Filesize
1.8MB

MD5
b88f4cfaea19a61c948b57fb4742d42c

SHA1
8d75edd3c71e3ea47574c6312fdc80b9748d5b5a

SHA256
a6a03e61aef7f87152a29a6dfedf653c8708a7bbfdb3e428354876e4e23a42e5

SHA512
2d5823afb8fa221925144445c0d8e2e2bcaa9b24f8f69782029ca9b6a956c352a860b237e02c0de7b79beea91fefe9ac054c2d508b272d60237a1e725a64132a

Download Submit
C:\Windows\system\JwZTgXp.exe

Filesize
1.8MB

MD5
3b63211a3313ad4b692d727b9f9830bc

SHA1
e502d7e5ef781f7ae394bdef7b8e7ed5aeff4390

SHA256
1e7f446d7ebb7621cf2d436c84b1db4e88c19ed4e365317b01cfd47fbde99a98

SHA512
5792401833716e3c1428474fde2ee6a3e6bb655b7fd810413e261f0e1e2439487053ad05ce1bc2bfd9a6a45b98c722ef2d60ad2af412a935aed5c9159221216c

Download Submit
C:\Windows\system\KCnGGDW.exe

Filesize
1.8MB

MD5
e9e66f5e4eeced4d8fa4e843eebc0351

SHA1
8435dcaccb9521f1355b2e87d82f504872687f37

SHA256
355ff9a2679b9a75d947078ff9e834de7d1128be6984109a262b0cadb9983699

SHA512
39af5bf166598489bf4e2608db343e64045dddfa8fa20dcb6032dba75604b1507f890c69deb81e2880cfd0813c6ee5a2ad3839625b119df1eaca023fbbdf55fb

Download Submit
C:\Windows\system\KCnGGDW.exe

Filesize
1.8MB

MD5
e9e66f5e4eeced4d8fa4e843eebc0351

SHA1
8435dcaccb9521f1355b2e87d82f504872687f37

SHA256
355ff9a2679b9a75d947078ff9e834de7d1128be6984109a262b0cadb9983699

SHA512
39af5bf166598489bf4e2608db343e64045dddfa8fa20dcb6032dba75604b1507f890c69deb81e2880cfd0813c6ee5a2ad3839625b119df1eaca023fbbdf55fb

Download Submit
C:\Windows\system\MAJkDOX.exe

Filesize
1.8MB

MD5
7b2ad3bb190933af492b2053b378c708

SHA1
5cb4480da9a6da9a510d2ae540677ef948bf986c

SHA256
7f4986f7584c84a19c645a05d05090832f6601f47b9dc738da759b5cedfa94fd

SHA512
5edd876783e869ae4c9ee54ff96e9404e11801fc551ff95bcdbcd1bf92aba7482afa850fd1f606f41bfae18d0f0159aa70f2ec507d15c3712204c0b6394fb40b

Download Submit
C:\Windows\system\OYDTcSe.exe

Filesize
1.8MB

MD5
e994d219662514a4a0cf3014e9e45459

SHA1
05876a6ad0b1ee46c9ab4acd4228c52d904d869c

SHA256
df2f95f3b404bd9ea2cf85e974d20fdcbc096cccdabf118b8314136d85feee20

SHA512
9b9eb0e1c41b6b982606376db250456d881824d7d62ce1dd66d85282c8c49b41c091cb6485423815a21dfdea40981a125f5e6c3a8b0547db19fd39e3936cca7d

Download Submit
C:\Windows\system\OrmvXyP.exe

Filesize
1.8MB

MD5
c79030327ea25fce9bf8651af18b61ef

SHA1
175450af4dd578274173800b6143c09f613cdc80

SHA256
3ac134ad57bcdab504dc66116d33f21438bc077ebb236258cd659d17b91d1bb8

SHA512
9fba45af72071094fe509b5e631c4a8cd13ac5b7408dea651f01a39049bd05db4dfb7e55dec245aa0465ec79648740fe5bf5d25047459df5525e56908da2287c

Download Submit
C:\Windows\system\RBvTUIE.exe

Filesize
1.8MB

MD5
f2219da9bcdf01d06b78cc4644c05c65

SHA1
1033c6d506003d1138dae59fb7a6b2bdd1dd2ec8

SHA256
aebc03521eeb1e5afe6450b257057519a9e4a3ee26048f6a42f928961bd81c49

SHA512
de50514be08728137a06b52be070e718a4c8f5371c81eea798f875ba59c3bd42d1c4bea4290f3d962981b69697e5de79d6e2e523d5884033771d522eb469f688

Download Submit
C:\Windows\system\XAnIVdL.exe

Filesize
1.8MB

MD5
468bf24b1ef23b35615119a1c41eaa3a

SHA1
b3e0c266dfedb700df83f4d01118970f0cb2784d

SHA256
24536acd42ac6d879d0d8262aa3168e318bb8f0b1de88c20969c1274d6b03d1c

SHA512
89746fd524d59c31201fd072b8d5b8b7bde234a9715157a6b68dade5eced48ad360614281483d0b3d9af4d0825922ce86b8cd3142b66792e9d2604870bc707ff

Download Submit
C:\Windows\system\YjuPPns.exe

Filesize
1.8MB

MD5
0e20b792c96a70c4b3d50a95928fc0c0

SHA1
7d511debb400ebad9e2752df53dd986a2d731a4c

SHA256
e516d56766ebdf22a2060dce4a7c4bf2308ed3069de118c6608da607d5fa25f1

SHA512
1184a547a90eb9da647b52cc0d579f861aaa85ab202e97475eeb0f89a6a112848dce57ff0ca921b28cae5043b529a9bea17fa566bdea55792e9044326c7125d6

Download Submit
C:\Windows\system\ZaPhQNU.exe

Filesize
1.8MB

MD5
e0ed70aa323fd8f10e0605b881f49d85

SHA1
41379145b7c4800f550ed02d72190f256ea0cb49

SHA256
8b9b640dc990862331a718da452448034e510f470d73fa1f15eba7aca299610c

SHA512
b1f1b5ff125028a517e426b8017cae510bf059c436ec5bbe00e654bfb3795979ffb663bcd54aff3c0faddfb7d54965fc9b7a539caf86d35e85bb83645f20107b

Download Submit
C:\Windows\system\abkzsNP.exe

Filesize
1.8MB

MD5
4fe6c20dd1a44cd9abc81212b282deba

SHA1
adbc83ffb118ba2b4473b5ec865ec4133d665ce8

SHA256
fa6e223d7d85891457fb57c4a344d1bebf822aa80325d465c3fbb774a7089eaf

SHA512
00c913a270a2cf2dce1930977cb04f5bc626ab35b50fd9541127c75b07ce91844fc2abf11a29031cf8ee027891c46871bcdc17c547316d6bbca9d4b89b20c17e

Download Submit
C:\Windows\system\blBwMOV.exe

Filesize
1.8MB

MD5
c4b9b6d3dbb74a7964401bb0cfbcbc3e

SHA1
225d4b567d7063cae169472fd23b51942b763177

SHA256
a1e5cdcf886034ecf61cc7668107a1454b5acfde06273dd2eaef0c90a883be4f

SHA512
e94bd9dba7de0a6000d65c998e8161cc0d386cb91a286a2f4fae926f1128e4ab8ba989825ec59f4d008de12a126d83420f6c5c2e730740c5c20b8061e1926c84

Download Submit
C:\Windows\system\kaXRYfm.exe

Filesize
1.8MB

MD5
21d2d8b5b67e1c8800a0df7e9b6d90a7

SHA1
563c1aab47795e71640f1ed42b9a557d1dcceb76

SHA256
3ca7e3863ba0c559519e63164ae8f0b74db8b3e91e6ef4f2cf0a599e6dd31428

SHA512
dc54c6eab400590e35d746a8c1120bcc702aceed53fbdd03cd75d3ba2dd9c0c43600e56bb33c001ffd54ec4e0c74959d185ff31e3af3dc1941e9fabed28e9d40

Download Submit
C:\Windows\system\ldqwGfw.exe

Filesize
1.8MB

MD5
151cbd0b5b9321803860f2920ee13b07

SHA1
55e8fe5ea0600751e35d14c6a9b9bbd3eed910c2

SHA256
c0a44c539f302917f107fac9eeab6b7f1a169357d971b43c0a0d312c39649e13

SHA512
6439a7bec58150260b3e2d375eb92da2b7890cc731f14c3638b77c4493a4df10944920b2065bdff729afd255ce46bd3c89a9fdc861c318440ae0bd8a53f212a9

Download Submit
C:\Windows\system\mnUvzAd.exe

Filesize
1.8MB

MD5
1c5545b7d99973e048208eea34727c7a

SHA1
9526286c72f09cbb876b09d7a8516edda2801377

SHA256
4a364ab7426b2de7033eedbd7ebc79fafcd5401bc6095648734ededff149e1e5

SHA512
301c4e72b35f7b40ec27fe08c492ebe9fc7b24505bf7a88ce979538d05bcebbcf55b0eb6597a0ea5df3b990c7932a7c5c205f166f5ed50f464eb7a10b2b67598

Download Submit
C:\Windows\system\nfAHLmh.exe

Filesize
1.8MB

MD5
baadb1f24445e3f8f37c80d4b8e1c303

SHA1
54c97a8d26e3935911ce60974917d60885abee6c

SHA256
e588699009957c9ffaf14066444a70f805f128cc4fedebaeca148282a64b68d2

SHA512
aa9dd3960be3f8b4a045ce30ac57ea1b786200fdbef25cc463521dde610a72cce11db9eae69e503fcc926c30e53461da716d07329c8141dcd092b81f2962b5fe

Download Submit
C:\Windows\system\pCEsVGo.exe

Filesize
1.8MB

MD5
0edd6ea69ad75312a00b465801b2b537

SHA1
009d15372ca7d8952ecdd47a17f1e57ab27f0536

SHA256
7c6c8f6a653636c6aff743f5abb97e9690326571fb63f1e123e0ba3d346b7a48

SHA512
cd15d62563def0bd67c0418aae12db9889bb4ac0ebd4e0b62d4c834fa76815343c333171b4216c42a2efe8d27d62fc5f7ebb7ba1bd7b8cfab05c661c0428b226

Download Submit
C:\Windows\system\qBYBAgC.exe

Filesize
1.8MB

MD5
717829abfe6ad898c8032ba1c22c18e2

SHA1
c0f78e2613f19598c93f23881653f4c57fefb881

SHA256
10508e8b15646a31db461a58f317ec360296f6bd12e7e14e3239e14dbd791a44

SHA512
c32bf86f0a033284f5b6ed866e033188763827cd315cb9115a36c5ea1de8071aa14cf534a7f8c8a61297c1ea281ab3092b6700cd03a82874f6f0fc59403356b5

Download Submit
C:\Windows\system\tHIvErt.exe

Filesize
1.8MB

MD5
8e0cda0fe98f0a2b591acae51bb45406

SHA1
62496402d7fe632cecfbb25ae65fceb554dcfc61

SHA256
a08ae8ce6a0f18fd76b4b2600964e626c96c899eecf358fab5a004d424c5b98e

SHA512
05279e216a196ac40b74e8a97a3fea0dfe125a066e958bbee0dd764f299279a29abf6f4d5b3be0ac69bb6d6150d68541fe19f1d55ef68bf17fad2a090a7a67b0

Download Submit
C:\Windows\system\tgpDvwh.exe

Filesize
1.8MB

MD5
f8688cd230988ff01f2fafabb9f04630

SHA1
63bb41231a8177d46b6cc446350b457226544eac

SHA256
a44f25bea48973fed96eeb14a83abbceadc89e59fb8a33acb39b45c390102b89

SHA512
7b64c86281d2189ba4c100b305970ba53438dcd730c578e2fc105f9a682eab9478b7f6877073c26d457fb4014c7e1695e9b3490d6b3d5f8c13cfd9f70ba516ef

Download Submit
C:\Windows\system\xeCDCjM.exe

Filesize
1.8MB

MD5
336be92a88039ba945750205abda47ac

SHA1
e7871bdba615982a5986acaa36f00fc39ccb2043

SHA256
20b4f82532efb3be25784ea6c301e81166dd5ec8c3dfb4e280d62262cad97fc9

SHA512
51bbfca84004caad67de80e5a9c756b4c8ecba0a7d1ee6f88d7c7428a6c0bd23485ced71cebd92f7c0d0715d68ab2170d28aec8b12c629503ab38eeb5e20e283

Download Submit
\Windows\system\AwhvjVk.exe

Filesize
1.8MB

MD5
ccc1a07963ebf501b9be0b8946abdf26

SHA1
af160422fbf8e3a4091ccd3a15748b610c9d0bdc

SHA256
73c10e6919b9ceff8d2e03ddb873175a364d69bf52d87b7454b7fc97e0625a3a

SHA512
f6952f427ada706957ed9ea06587069373b833dde885c69a6f68bda6176a77f20b7a71387ba4af8a879438a570c71d3aab5d3e22e86f64325134e047a339197b

Download Submit
\Windows\system\ExTXHLQ.exe

Filesize
1.8MB

MD5
547387b346c9490a9ec4b5b6f4fa6f66

SHA1
0bd28302669c9a58496e2b26b0a384556f5907a9

SHA256
f335fa3254415c6b08aae5b274ea9cba5f19d6aa02a5e4eb2868542de90f7e4a

SHA512
6e50c9ee7c8ff4e933c2d6d2fc8d42964c426ee1ab6908bd930c6db19e19bdc021c685f4d341a4fb44f63e3da947d3fb456705f89411a79d4c43559777c742ee

Download Submit
\Windows\system\FNNkllm.exe

Filesize
1.8MB

MD5
efe2aa25735213d2b16793f4c8a2784f

SHA1
3da5134777db18a6a599a4b93065f9687347bf6c

SHA256
484110c67d261dadb22650de5fdef05dcd4d58dde43279cf1b1967a152acf6a1

SHA512
96d6ef46c22d7bfe3968745d638ca6bda4e03bf06747cc87d1508725989b890caba1554fbf8c1333b308322408d3632c888d2742cc5b55ba5ea5f9de592bfeb8

Download Submit
\Windows\system\GYLEuoI.exe

Filesize
1.8MB

MD5
668745a3f377344445cd0f4d43f9b43d

SHA1
a8e4998a00133a4245023ff31bd400ac83e5da85

SHA256
0ca99fcb8875f91caa9a1abe45db04a50c5e7bfc29c01f51947f1ab48a1cab37

SHA512
73ef3a279c012fbf23e85647e48612172a4d15de75c75490a80c8eac3b2a395c11f18ed8cb9be1413c20235775eba624bc63aa006a27f05103c7c55ac4c82bb1

Download Submit
\Windows\system\GfdDeOC.exe

Filesize
1.8MB

MD5
333abcd29b4fbdeb366a6bf6ff510730

SHA1
4532a50903d2222ce66bc2d5b64859b448e467dc

SHA256
8d0a3551b6242072455ce7a1ded9ffe104081bbb645596a7d0898ed729afb1c4

SHA512
01025e78871f07eaea89854c0e6dc62f8b19a6bc38ce33b88f5bda1221c9d24db6661a5c03c455f56435235b26349683a4bab95a442a66613794d3d5a621be6a

Download Submit
\Windows\system\HwzoEXu.exe

Filesize
1.8MB

MD5
b88f4cfaea19a61c948b57fb4742d42c

SHA1
8d75edd3c71e3ea47574c6312fdc80b9748d5b5a

SHA256
a6a03e61aef7f87152a29a6dfedf653c8708a7bbfdb3e428354876e4e23a42e5

SHA512
2d5823afb8fa221925144445c0d8e2e2bcaa9b24f8f69782029ca9b6a956c352a860b237e02c0de7b79beea91fefe9ac054c2d508b272d60237a1e725a64132a

Download Submit
\Windows\system\JwZTgXp.exe

Filesize
1.8MB

MD5
3b63211a3313ad4b692d727b9f9830bc

SHA1
e502d7e5ef781f7ae394bdef7b8e7ed5aeff4390

SHA256
1e7f446d7ebb7621cf2d436c84b1db4e88c19ed4e365317b01cfd47fbde99a98

SHA512
5792401833716e3c1428474fde2ee6a3e6bb655b7fd810413e261f0e1e2439487053ad05ce1bc2bfd9a6a45b98c722ef2d60ad2af412a935aed5c9159221216c

Download Submit
\Windows\system\KCnGGDW.exe

Filesize
1.8MB

MD5
e9e66f5e4eeced4d8fa4e843eebc0351

SHA1
8435dcaccb9521f1355b2e87d82f504872687f37

SHA256
355ff9a2679b9a75d947078ff9e834de7d1128be6984109a262b0cadb9983699

SHA512
39af5bf166598489bf4e2608db343e64045dddfa8fa20dcb6032dba75604b1507f890c69deb81e2880cfd0813c6ee5a2ad3839625b119df1eaca023fbbdf55fb

Download Submit
\Windows\system\MAJkDOX.exe

Filesize
1.8MB

MD5
7b2ad3bb190933af492b2053b378c708

SHA1
5cb4480da9a6da9a510d2ae540677ef948bf986c

SHA256
7f4986f7584c84a19c645a05d05090832f6601f47b9dc738da759b5cedfa94fd

SHA512
5edd876783e869ae4c9ee54ff96e9404e11801fc551ff95bcdbcd1bf92aba7482afa850fd1f606f41bfae18d0f0159aa70f2ec507d15c3712204c0b6394fb40b

Download Submit
\Windows\system\OYDTcSe.exe

Filesize
1.8MB

MD5
e994d219662514a4a0cf3014e9e45459

SHA1
05876a6ad0b1ee46c9ab4acd4228c52d904d869c

SHA256
df2f95f3b404bd9ea2cf85e974d20fdcbc096cccdabf118b8314136d85feee20

SHA512
9b9eb0e1c41b6b982606376db250456d881824d7d62ce1dd66d85282c8c49b41c091cb6485423815a21dfdea40981a125f5e6c3a8b0547db19fd39e3936cca7d

Download Submit
\Windows\system\OrmvXyP.exe

Filesize
1.8MB

MD5
c79030327ea25fce9bf8651af18b61ef

SHA1
175450af4dd578274173800b6143c09f613cdc80

SHA256
3ac134ad57bcdab504dc66116d33f21438bc077ebb236258cd659d17b91d1bb8

SHA512
9fba45af72071094fe509b5e631c4a8cd13ac5b7408dea651f01a39049bd05db4dfb7e55dec245aa0465ec79648740fe5bf5d25047459df5525e56908da2287c

Download Submit
\Windows\system\RBvTUIE.exe

Filesize
1.8MB

MD5
f2219da9bcdf01d06b78cc4644c05c65

SHA1
1033c6d506003d1138dae59fb7a6b2bdd1dd2ec8

SHA256
aebc03521eeb1e5afe6450b257057519a9e4a3ee26048f6a42f928961bd81c49

SHA512
de50514be08728137a06b52be070e718a4c8f5371c81eea798f875ba59c3bd42d1c4bea4290f3d962981b69697e5de79d6e2e523d5884033771d522eb469f688

Download Submit
\Windows\system\XAnIVdL.exe

Filesize
1.8MB

MD5
468bf24b1ef23b35615119a1c41eaa3a

SHA1
b3e0c266dfedb700df83f4d01118970f0cb2784d

SHA256
24536acd42ac6d879d0d8262aa3168e318bb8f0b1de88c20969c1274d6b03d1c

SHA512
89746fd524d59c31201fd072b8d5b8b7bde234a9715157a6b68dade5eced48ad360614281483d0b3d9af4d0825922ce86b8cd3142b66792e9d2604870bc707ff

Download Submit
\Windows\system\YjuPPns.exe

Filesize
1.8MB

MD5
0e20b792c96a70c4b3d50a95928fc0c0

SHA1
7d511debb400ebad9e2752df53dd986a2d731a4c

SHA256
e516d56766ebdf22a2060dce4a7c4bf2308ed3069de118c6608da607d5fa25f1

SHA512
1184a547a90eb9da647b52cc0d579f861aaa85ab202e97475eeb0f89a6a112848dce57ff0ca921b28cae5043b529a9bea17fa566bdea55792e9044326c7125d6

Download Submit
\Windows\system\ZaPhQNU.exe

Filesize
1.8MB

MD5
e0ed70aa323fd8f10e0605b881f49d85

SHA1
41379145b7c4800f550ed02d72190f256ea0cb49

SHA256
8b9b640dc990862331a718da452448034e510f470d73fa1f15eba7aca299610c

SHA512
b1f1b5ff125028a517e426b8017cae510bf059c436ec5bbe00e654bfb3795979ffb663bcd54aff3c0faddfb7d54965fc9b7a539caf86d35e85bb83645f20107b

Download Submit
\Windows\system\abkzsNP.exe

Filesize
1.8MB

MD5
4fe6c20dd1a44cd9abc81212b282deba

SHA1
adbc83ffb118ba2b4473b5ec865ec4133d665ce8

SHA256
fa6e223d7d85891457fb57c4a344d1bebf822aa80325d465c3fbb774a7089eaf

SHA512
00c913a270a2cf2dce1930977cb04f5bc626ab35b50fd9541127c75b07ce91844fc2abf11a29031cf8ee027891c46871bcdc17c547316d6bbca9d4b89b20c17e

Download Submit
\Windows\system\blBwMOV.exe

Filesize
1.8MB

MD5
c4b9b6d3dbb74a7964401bb0cfbcbc3e

SHA1
225d4b567d7063cae169472fd23b51942b763177

SHA256
a1e5cdcf886034ecf61cc7668107a1454b5acfde06273dd2eaef0c90a883be4f

SHA512
e94bd9dba7de0a6000d65c998e8161cc0d386cb91a286a2f4fae926f1128e4ab8ba989825ec59f4d008de12a126d83420f6c5c2e730740c5c20b8061e1926c84

Download Submit
\Windows\system\gJClkzd.exe

Filesize
1.8MB

MD5
47297e8b8ef60a8d3bfe14f54289a691

SHA1
1a30d5dc4ef47c79c74c4c832f45bb4509abf58e

SHA256
0a5fd9953b92e53950124d6a236e0d1e77ad3ccf47eca40ca3cf1b40dfb09f4d

SHA512
0c7f030aafc287b99993df818922e365620140f3a7be94f9d89aa1cbf18fceadcab0827ab17084ccfbf5e914015ffbf6479163aacf6512f2f4e279ecbb9c9488

Download Submit
\Windows\system\kaXRYfm.exe

Filesize
1.8MB

MD5
21d2d8b5b67e1c8800a0df7e9b6d90a7

SHA1
563c1aab47795e71640f1ed42b9a557d1dcceb76

SHA256
3ca7e3863ba0c559519e63164ae8f0b74db8b3e91e6ef4f2cf0a599e6dd31428

SHA512
dc54c6eab400590e35d746a8c1120bcc702aceed53fbdd03cd75d3ba2dd9c0c43600e56bb33c001ffd54ec4e0c74959d185ff31e3af3dc1941e9fabed28e9d40

Download Submit
\Windows\system\ldqwGfw.exe

Filesize
1.8MB

MD5
151cbd0b5b9321803860f2920ee13b07

SHA1
55e8fe5ea0600751e35d14c6a9b9bbd3eed910c2

SHA256
c0a44c539f302917f107fac9eeab6b7f1a169357d971b43c0a0d312c39649e13

SHA512
6439a7bec58150260b3e2d375eb92da2b7890cc731f14c3638b77c4493a4df10944920b2065bdff729afd255ce46bd3c89a9fdc861c318440ae0bd8a53f212a9

Download Submit
\Windows\system\mnUvzAd.exe

Filesize
1.8MB

MD5
1c5545b7d99973e048208eea34727c7a

SHA1
9526286c72f09cbb876b09d7a8516edda2801377

SHA256
4a364ab7426b2de7033eedbd7ebc79fafcd5401bc6095648734ededff149e1e5

SHA512
301c4e72b35f7b40ec27fe08c492ebe9fc7b24505bf7a88ce979538d05bcebbcf55b0eb6597a0ea5df3b990c7932a7c5c205f166f5ed50f464eb7a10b2b67598

Download Submit
\Windows\system\mutEoDY.exe

Filesize
1.8MB

MD5
c8c73e801b1a2c654eaf87a0d721c01f

SHA1
5048ee954203241cae478af17e0feb923e927f21

SHA256
8fc45156b0fed8b6ce4e36dccde51aa070444211d761514ce9ddae1851ea90df

SHA512
52ce6f83d65668c365745457c04c7923b04f9c99419e6fa5411e719147d763911257072183f2c82a9c8247e2ddd209081b0a9da0880dab286db73c70e3e96631

Download Submit
\Windows\system\nfAHLmh.exe

Filesize
1.8MB

MD5
baadb1f24445e3f8f37c80d4b8e1c303

SHA1
54c97a8d26e3935911ce60974917d60885abee6c

SHA256
e588699009957c9ffaf14066444a70f805f128cc4fedebaeca148282a64b68d2

SHA512
aa9dd3960be3f8b4a045ce30ac57ea1b786200fdbef25cc463521dde610a72cce11db9eae69e503fcc926c30e53461da716d07329c8141dcd092b81f2962b5fe

Download Submit
\Windows\system\pCEsVGo.exe

Filesize
1.8MB

MD5
0edd6ea69ad75312a00b465801b2b537

SHA1
009d15372ca7d8952ecdd47a17f1e57ab27f0536

SHA256
7c6c8f6a653636c6aff743f5abb97e9690326571fb63f1e123e0ba3d346b7a48

SHA512
cd15d62563def0bd67c0418aae12db9889bb4ac0ebd4e0b62d4c834fa76815343c333171b4216c42a2efe8d27d62fc5f7ebb7ba1bd7b8cfab05c661c0428b226

Download Submit
\Windows\system\qBYBAgC.exe

Filesize
1.8MB

MD5
717829abfe6ad898c8032ba1c22c18e2

SHA1
c0f78e2613f19598c93f23881653f4c57fefb881

SHA256
10508e8b15646a31db461a58f317ec360296f6bd12e7e14e3239e14dbd791a44

SHA512
c32bf86f0a033284f5b6ed866e033188763827cd315cb9115a36c5ea1de8071aa14cf534a7f8c8a61297c1ea281ab3092b6700cd03a82874f6f0fc59403356b5

Download Submit
\Windows\system\tHIvErt.exe

Filesize
1.8MB

MD5
8e0cda0fe98f0a2b591acae51bb45406

SHA1
62496402d7fe632cecfbb25ae65fceb554dcfc61

SHA256
a08ae8ce6a0f18fd76b4b2600964e626c96c899eecf358fab5a004d424c5b98e

SHA512
05279e216a196ac40b74e8a97a3fea0dfe125a066e958bbee0dd764f299279a29abf6f4d5b3be0ac69bb6d6150d68541fe19f1d55ef68bf17fad2a090a7a67b0

Download Submit
\Windows\system\tgpDvwh.exe

Filesize
1.8MB

MD5
f8688cd230988ff01f2fafabb9f04630

SHA1
63bb41231a8177d46b6cc446350b457226544eac

SHA256
a44f25bea48973fed96eeb14a83abbceadc89e59fb8a33acb39b45c390102b89

SHA512
7b64c86281d2189ba4c100b305970ba53438dcd730c578e2fc105f9a682eab9478b7f6877073c26d457fb4014c7e1695e9b3490d6b3d5f8c13cfd9f70ba516ef

Download Submit
\Windows\system\xeCDCjM.exe

Filesize
1.8MB

MD5
336be92a88039ba945750205abda47ac

SHA1
e7871bdba615982a5986acaa36f00fc39ccb2043

SHA256
20b4f82532efb3be25784ea6c301e81166dd5ec8c3dfb4e280d62262cad97fc9

SHA512
51bbfca84004caad67de80e5a9c756b4c8ecba0a7d1ee6f88d7c7428a6c0bd23485ced71cebd92f7c0d0715d68ab2170d28aec8b12c629503ab38eeb5e20e283

Download Submit
memory/2564-800-0x0000000001DD0000-0x0000000001DD8000-memory.dmp

Filesize
32KB

Download
memory/2572-797-0x000000001B2E0000-0x000000001B5C2000-memory.dmp

Filesize
2.9MB

Download
memory/2628-0-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/2688-201-0x000000001B300000-0x000000001B5E2000-memory.dmp

Filesize
2.9MB

Download
memory/2688-204-0x0000000002410000-0x0000000002418000-memory.dmp

Filesize
32KB

Download
memory/2688-616-0x000007FEF62F0000-0x000007FEF6C8D000-memory.dmp

Filesize
9.6MB

Download
memory/2688-643-0x000007FEF62F0000-0x000007FEF6C8D000-memory.dmp

Filesize
9.6MB

Download
memory/2688-645-0x0000000002774000-0x0000000002777000-memory.dmp

Filesize
12KB

Download
memory/2688-646-0x000000000277B000-0x00000000027E2000-memory.dmp

Filesize
412KB

Download