8e3571997c4ae41c38944d0de262e52125e4993193cc6f7c36cafd20034bdcb0

Analysis

max time kernel
102s
max time network
15s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
21/08/2024, 20:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a94f119a17976b55a6c9f415582f81c0N.exe
Size

208KB
MD5

a94f119a17976b55a6c9f415582f81c0
SHA1

3b3112702de77e2cfdd2ded0c31ca13dafe9b085
SHA256

8e3571997c4ae41c38944d0de262e52125e4993193cc6f7c36cafd20034bdcb0
SHA512

b9b29aedb298bd0a513ebd0e66d59de087f3708846b8845bc856fa8c73db7cc64fd533a35b8443ee2ed2d29da393c89b0e463ddf952b90a1882fb78acd099e3f
SSDEEP

3072:YaCccMSFPJMHwqXYyD56LZPqG8ToYG6CJnh/rbKHWYsS+O4NLthEjQT6:lCccMSd6wgD5SRyJCJR3KHtFQEj

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
3028	FSJTIVL.exe
2112	NIUMSP.exe
760	IVLWDAH.exe
2452	MFEQGVV.exe
2700	LDXTTA.exe
1404	YDDR.exe
1884	STJKQF.exe
1676	ZRTXW.exe
2436	ZZSGPQU.exe
912	LPLG.exe
932	JHEKRW.exe
1592	VXKCOT.exe
1120	UKTFOV.exe
2812	QKAL.exe
2648	LVV.exe
2732	MVBX.exe
2568	EAYHFN.exe
2452	LTTBU.exe
2672	MBRKV.exe
2904	WWVDQ.exe
2504	FEGESK.exe
2276	CGOBVKP.exe
2444	MEG.exe
2512	CXOAKV.exe
1772	QXUYLU.exe
2076	NAQ.exe
872	BAXAZI.exe
2540	SNT.exe
2208	RAQDPGJ.exe
2868	RIPEP.exe
2612	DDQJP.exe
2356	NBIV.exe
1700	XDE.exe
2980	OQBNRBH.exe
2560	ALD.exe
2108	GJANUD.exe
2232	XWXFLLX.exe
1676	NPFRJ.exe
304	VZSL.exe
2364	HEWS.exe
992	VPRJVL.exe
1708	WVCZ.exe
2056	QNPWP.exe
1660	GFW.exe
2208	EDIC.exe
2840	WGICD.exe
2632	BLNJ.exe
1704	BTLS.exe
2788	JLGMSQ.exe
2652	VBZEFUX.exe
1516	JBGKH.exe
2108	IOPMHD.exe
2428	WPBSZ.exe
1676	FZK.exe
1532	RUZFSB.exe
264	MXB.exe
3000	UPPPFVZ.exe
1592	HFNBFXG.exe
2336	JFB.exe
2744	XIVGJ.exe
2820	XQI.exe
1300	LYOV.exe
2684	KLXFDJR.exe
2476	RJVS.exe

Loads dropped DLL 64 IoCs

pid	Process
916	cmd.exe
916	cmd.exe
2228	cmd.exe
2228	cmd.exe
1184	cmd.exe
1184	cmd.exe
828	cmd.exe
828	cmd.exe
2580	cmd.exe
2580	cmd.exe
1724	cmd.exe
1724	cmd.exe
2756	cmd.exe
2756	cmd.exe
2880	cmd.exe
2880	cmd.exe
2844	cmd.exe
2844	cmd.exe
3008	cmd.exe
3008	cmd.exe
2460	cmd.exe
2460	cmd.exe
1184	cmd.exe
1184	cmd.exe
2296	cmd.exe
2296	cmd.exe
672	cmd.exe
672	cmd.exe
2128	cmd.exe
2128	cmd.exe
1368	cmd.exe
1368	cmd.exe
2308	cmd.exe
2308	cmd.exe
1496	cmd.exe
1496	cmd.exe
2164	cmd.exe
2164	cmd.exe
2456	cmd.exe
2456	cmd.exe
1564	cmd.exe
1564	cmd.exe
2872	cmd.exe
2872	cmd.exe
2484	cmd.exe
2484	cmd.exe
1888	cmd.exe
1888	cmd.exe
2400	cmd.exe
2400	cmd.exe
828	cmd.exe
828	cmd.exe
1600	cmd.exe
1600	cmd.exe
652	cmd.exe
652	cmd.exe
2804	cmd.exe
2804	cmd.exe
2408	cmd.exe
2408	cmd.exe
1860	cmd.exe
1860	cmd.exe
1800	cmd.exe
1800	cmd.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\STJKQF.exe.bat	YDDR.exe
File opened for modification	C:\windows\SysWOW64\GJANUD.exe	ALD.exe
File created	C:\windows\SysWOW64\ORRTLI.exe	ROVWRBH.exe
File created	C:\windows\SysWOW64\AEZ.exe	VGO.exe
File created	C:\windows\SysWOW64\RGKGD.exe	MBING.exe
File created	C:\windows\SysWOW64\LYOV.exe	XQI.exe
File opened for modification	C:\windows\SysWOW64\GABRNSM.exe	UFMEX.exe
File created	C:\windows\SysWOW64\GABRNSM.exe.bat	UFMEX.exe
File created	C:\windows\SysWOW64\AZLVCMZ.exe.bat	YEI.exe
File created	C:\windows\SysWOW64\WRV.exe	PUXHYT.exe
File created	C:\windows\SysWOW64\SNT.exe.bat	BAXAZI.exe
File opened for modification	C:\windows\SysWOW64\JBGKH.exe	VBZEFUX.exe
File opened for modification	C:\windows\SysWOW64\JFB.exe	HFNBFXG.exe
File opened for modification	C:\windows\SysWOW64\MBING.exe	ALO.exe
File opened for modification	C:\windows\SysWOW64\BTLS.exe	BLNJ.exe
File created	C:\windows\SysWOW64\AEZ.exe.bat	VGO.exe
File opened for modification	C:\windows\SysWOW64\QKAL.exe	UKTFOV.exe
File created	C:\windows\SysWOW64\WPBSZ.exe	IOPMHD.exe
File created	C:\windows\SysWOW64\XQI.exe.bat	XIVGJ.exe
File created	C:\windows\SysWOW64\MAMFA.exe	PXEI.exe
File created	C:\windows\SysWOW64\GZMKD.exe.bat	ORRTLI.exe
File created	C:\windows\SysWOW64\SNT.exe	BAXAZI.exe
File opened for modification	C:\windows\SysWOW64\FEGESK.exe	WWVDQ.exe
File created	C:\windows\SysWOW64\CGOBVKP.exe	FEGESK.exe
File created	C:\windows\SysWOW64\GJANUD.exe.bat	ALD.exe
File created	C:\windows\SysWOW64\LYOV.exe.bat	XQI.exe
File created	C:\windows\SysWOW64\STJKQF.exe	YDDR.exe
File created	C:\windows\SysWOW64\WWVDQ.exe	MBRKV.exe
File created	C:\windows\SysWOW64\ORRTLI.exe.bat	ROVWRBH.exe
File opened for modification	C:\windows\SysWOW64\YDDR.exe	LDXTTA.exe
File created	C:\windows\SysWOW64\ZTANR.exe	AYRKR.exe
File created	C:\windows\SysWOW64\ELIPS.exe	SQH.exe
File created	C:\windows\SysWOW64\UKTFOV.exe	VXKCOT.exe
File opened for modification	C:\windows\SysWOW64\UKTFOV.exe	VXKCOT.exe
File created	C:\windows\SysWOW64\FEGESK.exe	WWVDQ.exe
File created	C:\windows\SysWOW64\WGICD.exe.bat	EDIC.exe
File created	C:\windows\SysWOW64\IKG.exe	THPDX.exe
File opened for modification	C:\windows\SysWOW64\CEYV.exe	AEZ.exe
File created	C:\windows\SysWOW64\MFEQGVV.exe.bat	IVLWDAH.exe
File created	C:\windows\SysWOW64\YDDR.exe.bat	LDXTTA.exe
File created	C:\windows\SysWOW64\WWVDQ.exe.bat	MBRKV.exe
File created	C:\windows\SysWOW64\XQI.exe	XIVGJ.exe
File created	C:\windows\SysWOW64\MBING.exe	ALO.exe
File opened for modification	C:\windows\SysWOW64\LPLG.exe	ZZSGPQU.exe
File created	C:\windows\SysWOW64\LPLG.exe.bat	ZZSGPQU.exe
File created	C:\windows\SysWOW64\WPBSZ.exe.bat	IOPMHD.exe
File created	C:\windows\SysWOW64\JFB.exe	HFNBFXG.exe
File opened for modification	C:\windows\SysWOW64\WRV.exe	PUXHYT.exe
File opened for modification	C:\windows\SysWOW64\MAMFA.exe	PXEI.exe
File opened for modification	C:\windows\SysWOW64\QXUYLU.exe	CXOAKV.exe
File opened for modification	C:\windows\SysWOW64\RAQDPGJ.exe	SNT.exe
File opened for modification	C:\windows\SysWOW64\RJVS.exe	KLXFDJR.exe
File created	C:\windows\SysWOW64\ZTANR.exe.bat	AYRKR.exe
File created	C:\windows\SysWOW64\RAQDPGJ.exe.bat	SNT.exe
File opened for modification	C:\windows\SysWOW64\OQBNRBH.exe	XDE.exe
File opened for modification	C:\windows\SysWOW64\XQI.exe	XIVGJ.exe
File created	C:\windows\SysWOW64\RJVS.exe	KLXFDJR.exe
File created	C:\windows\SysWOW64\MFEQGVV.exe	IVLWDAH.exe
File created	C:\windows\SysWOW64\CGOBVKP.exe.bat	FEGESK.exe
File created	C:\windows\SysWOW64\GJANUD.exe	ALD.exe
File opened for modification	C:\windows\SysWOW64\GZMKD.exe	ORRTLI.exe
File created	C:\windows\SysWOW64\ELIPS.exe.bat	SQH.exe
File created	C:\windows\SysWOW64\MBING.exe.bat	ALO.exe
File created	C:\windows\SysWOW64\QKAL.exe.bat	UKTFOV.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\windows\ZRTXW.exe	STJKQF.exe
File created	C:\windows\TBVPW.exe.bat	RJVS.exe
File created	C:\windows\NBG.exe	BLNJFO.exe
File opened for modification	C:\windows\LDXTTA.exe	MFEQGVV.exe
File created	C:\windows\FROHSW.exe	TBVPW.exe
File opened for modification	C:\windows\THPDX.exe	OCS.exe
File created	C:\windows\CBEB.exe	WDGGQTB.exe
File created	C:\windows\system\ALD.exe	OQBNRBH.exe
File opened for modification	C:\windows\system\VBZEFUX.exe	JLGMSQ.exe
File created	C:\windows\system\WZSBVTT.exe	AZLVCMZ.exe
File created	C:\windows\ZRTXW.exe	STJKQF.exe
File created	C:\windows\ZZSGPQU.exe	ZRTXW.exe
File created	C:\windows\system\FSOISHU.exe.bat	MAMFA.exe
File created	C:\windows\WDGGQTB.exe.bat	HJDJW.exe
File created	C:\windows\system\ALO.exe.bat	ELIPS.exe
File created	C:\windows\KLXFDJR.exe	LYOV.exe
File opened for modification	C:\windows\system\JLGMSQ.exe	BTLS.exe
File opened for modification	C:\windows\system\EAYHFN.exe	MVBX.exe
File created	C:\windows\TMHS.exe	GMV.exe
File opened for modification	C:\windows\system\SQH.exe	GABRNSM.exe
File created	C:\windows\RIPEP.exe	RAQDPGJ.exe
File created	C:\windows\system\BAXAZI.exe	NAQ.exe
File opened for modification	C:\windows\system\EDIC.exe	GFW.exe
File created	C:\windows\system\SXNJ.exe	WRV.exe
File created	C:\windows\system\SQH.exe.bat	GABRNSM.exe
File created	C:\windows\ZZSGPQU.exe.bat	ZRTXW.exe
File opened for modification	C:\windows\VXKCOT.exe	JHEKRW.exe
File created	C:\windows\DDQJP.exe.bat	RIPEP.exe
File opened for modification	C:\windows\system\GFW.exe	QNPWP.exe
File created	C:\windows\system\EDIC.exe.bat	GFW.exe
File created	C:\windows\PXEI.exe	PKHYFND.exe
File created	C:\windows\LAEDVNF.exe.bat	WFIHB.exe
File created	C:\windows\NIUMSP.exe	FSJTIVL.exe
File created	C:\windows\system\ZVJNZMQ.exe.bat	FCKZCU.exe
File opened for modification	C:\windows\system\LQMD.exe	FSOISHU.exe
File created	C:\windows\ZRTXW.exe.bat	STJKQF.exe
File opened for modification	C:\windows\system\JHEKRW.exe	LPLG.exe
File opened for modification	C:\windows\FZK.exe	WPBSZ.exe
File opened for modification	C:\windows\NIUMSP.exe	FSJTIVL.exe
File opened for modification	C:\windows\RUZFSB.exe	FZK.exe
File created	C:\windows\MVBX.exe	LVV.exe
File created	C:\windows\system\HFNBFXG.exe.bat	UPPPFVZ.exe
File created	C:\windows\TBVPW.exe	RJVS.exe
File opened for modification	C:\windows\system\BLNJFO.exe	ZTANR.exe
File opened for modification	C:\windows\system\VGO.exe	CBEB.exe
File created	C:\windows\NBIV.exe	DDQJP.exe
File created	C:\windows\system\EDIC.exe	GFW.exe
File created	C:\windows\FZK.exe.bat	WPBSZ.exe
File opened for modification	C:\windows\system\WMJ.exe	YOMFOW.exe
File created	C:\windows\system\SNUPBRC.exe	IKG.exe
File opened for modification	C:\windows\system\LVV.exe	QKAL.exe
File created	C:\windows\RUZFSB.exe.bat	FZK.exe
File created	C:\windows\system\MEG.exe	CGOBVKP.exe
File created	C:\windows\system\SNUPBRC.exe.bat	IKG.exe
File created	C:\windows\HJDJW.exe.bat	LAEDVNF.exe
File opened for modification	C:\windows\KLXFDJR.exe	LYOV.exe
File opened for modification	C:\windows\PXEI.exe	PKHYFND.exe
File created	C:\windows\THPDX.exe	OCS.exe
File opened for modification	C:\windows\WDGGQTB.exe	HJDJW.exe
File created	C:\windows\NBIV.exe.bat	DDQJP.exe
File created	C:\windows\NAQ.exe.bat	QXUYLU.exe
File created	C:\windows\system\GFW.exe	QNPWP.exe
File opened for modification	C:\windows\TBVPW.exe	RJVS.exe
File created	C:\windows\system\BLNJFO.exe.bat	ZTANR.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NBG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FEGESK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WPBSZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VBZEFUX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IKG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AZLVCMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RIPEP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EDIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UPPPFVZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LTTBU.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LQMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SXNJ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YEI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UKTFOV.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WWVDQ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GZMKD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YDDR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BAXAZI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XDE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WVCZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FZK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NPFRJ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KLXFDJR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UYXXY.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LDXTTA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CEYV.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ZZSGPQU.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MFEQGVV.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DDQJP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NBIV.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FSOISHU.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WDGGQTB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2884	a94f119a17976b55a6c9f415582f81c0N.exe
3028	FSJTIVL.exe
2112	NIUMSP.exe
760	IVLWDAH.exe
2452	MFEQGVV.exe
2700	LDXTTA.exe
1404	YDDR.exe
1884	STJKQF.exe
1676	ZRTXW.exe
2436	ZZSGPQU.exe
912	LPLG.exe
932	JHEKRW.exe
1592	VXKCOT.exe
1120	UKTFOV.exe
2812	QKAL.exe
2648	LVV.exe
2732	MVBX.exe
2568	EAYHFN.exe
2452	LTTBU.exe
2672	MBRKV.exe
2904	WWVDQ.exe
2504	FEGESK.exe
2276	CGOBVKP.exe
2444	MEG.exe
2512	CXOAKV.exe
1772	QXUYLU.exe
2076	NAQ.exe
872	BAXAZI.exe
2540	SNT.exe
2208	RAQDPGJ.exe
2868	RIPEP.exe
2612	DDQJP.exe
2356	NBIV.exe
1700	XDE.exe
2980	OQBNRBH.exe
2560	ALD.exe
2108	GJANUD.exe
2232	XWXFLLX.exe
1676	NPFRJ.exe
304	VZSL.exe
2364	HEWS.exe
992	VPRJVL.exe
1708	WVCZ.exe
2056	QNPWP.exe
1660	GFW.exe
2208	EDIC.exe
2840	WGICD.exe
2632	BLNJ.exe
1704	BTLS.exe
2788	JLGMSQ.exe
2652	VBZEFUX.exe
1516	JBGKH.exe
2108	IOPMHD.exe
2428	WPBSZ.exe
1676	FZK.exe
1532	RUZFSB.exe
264	MXB.exe
3000	UPPPFVZ.exe
1592	HFNBFXG.exe
2336	JFB.exe
2744	XIVGJ.exe
2820	XQI.exe
1300	LYOV.exe
2684	KLXFDJR.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2884	a94f119a17976b55a6c9f415582f81c0N.exe
2884	a94f119a17976b55a6c9f415582f81c0N.exe
3028	FSJTIVL.exe
3028	FSJTIVL.exe
2112	NIUMSP.exe
2112	NIUMSP.exe
760	IVLWDAH.exe
760	IVLWDAH.exe
2452	MFEQGVV.exe
2452	MFEQGVV.exe
2700	LDXTTA.exe
2700	LDXTTA.exe
1404	YDDR.exe
1404	YDDR.exe
1884	STJKQF.exe
1884	STJKQF.exe
1676	ZRTXW.exe
1676	ZRTXW.exe
2436	ZZSGPQU.exe
2436	ZZSGPQU.exe
912	LPLG.exe
912	LPLG.exe
932	JHEKRW.exe
932	JHEKRW.exe
1592	VXKCOT.exe
1592	VXKCOT.exe
1120	UKTFOV.exe
1120	UKTFOV.exe
2812	QKAL.exe
2812	QKAL.exe
2648	LVV.exe
2648	LVV.exe
2732	MVBX.exe
2732	MVBX.exe
2568	EAYHFN.exe
2568	EAYHFN.exe
2452	LTTBU.exe
2452	LTTBU.exe
2672	MBRKV.exe
2672	MBRKV.exe
2904	WWVDQ.exe
2904	WWVDQ.exe
2504	FEGESK.exe
2504	FEGESK.exe
2276	CGOBVKP.exe
2276	CGOBVKP.exe
2444	MEG.exe
2444	MEG.exe
2512	CXOAKV.exe
2512	CXOAKV.exe
1772	QXUYLU.exe
1772	QXUYLU.exe
2076	NAQ.exe
2076	NAQ.exe
872	BAXAZI.exe
872	BAXAZI.exe
2540	SNT.exe
2540	SNT.exe
2208	RAQDPGJ.exe
2208	RAQDPGJ.exe
2868	RIPEP.exe
2868	RIPEP.exe
2612	DDQJP.exe
2612	DDQJP.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 2768	2884	a94f119a17976b55a6c9f415582f81c0N.exe	29
PID 2884 wrote to memory of 2768	2884	a94f119a17976b55a6c9f415582f81c0N.exe	29
PID 2884 wrote to memory of 2768	2884	a94f119a17976b55a6c9f415582f81c0N.exe	29
PID 2884 wrote to memory of 2768	2884	a94f119a17976b55a6c9f415582f81c0N.exe	29
PID 2768 wrote to memory of 3028	2768	cmd.exe	31
PID 2768 wrote to memory of 3028	2768	cmd.exe	31
PID 2768 wrote to memory of 3028	2768	cmd.exe	31
PID 2768 wrote to memory of 3028	2768	cmd.exe	31
PID 3028 wrote to memory of 2952	3028	FSJTIVL.exe	32
PID 3028 wrote to memory of 2952	3028	FSJTIVL.exe	32
PID 3028 wrote to memory of 2952	3028	FSJTIVL.exe	32
PID 3028 wrote to memory of 2952	3028	FSJTIVL.exe	32
PID 2952 wrote to memory of 2112	2952	cmd.exe	34
PID 2952 wrote to memory of 2112	2952	cmd.exe	34
PID 2952 wrote to memory of 2112	2952	cmd.exe	34
PID 2952 wrote to memory of 2112	2952	cmd.exe	34
PID 2112 wrote to memory of 2676	2112	NIUMSP.exe	35
PID 2112 wrote to memory of 2676	2112	NIUMSP.exe	35
PID 2112 wrote to memory of 2676	2112	NIUMSP.exe	35
PID 2112 wrote to memory of 2676	2112	NIUMSP.exe	35
PID 2676 wrote to memory of 760	2676	cmd.exe	37
PID 2676 wrote to memory of 760	2676	cmd.exe	37
PID 2676 wrote to memory of 760	2676	cmd.exe	37
PID 2676 wrote to memory of 760	2676	cmd.exe	37
PID 760 wrote to memory of 916	760	IVLWDAH.exe	38
PID 760 wrote to memory of 916	760	IVLWDAH.exe	38
PID 760 wrote to memory of 916	760	IVLWDAH.exe	38
PID 760 wrote to memory of 916	760	IVLWDAH.exe	38
PID 916 wrote to memory of 2452	916	cmd.exe	40
PID 916 wrote to memory of 2452	916	cmd.exe	40
PID 916 wrote to memory of 2452	916	cmd.exe	40
PID 916 wrote to memory of 2452	916	cmd.exe	40
PID 2452 wrote to memory of 2944	2452	MFEQGVV.exe	41
PID 2452 wrote to memory of 2944	2452	MFEQGVV.exe	41
PID 2452 wrote to memory of 2944	2452	MFEQGVV.exe	41
PID 2452 wrote to memory of 2944	2452	MFEQGVV.exe	41
PID 2944 wrote to memory of 2700	2944	cmd.exe	43
PID 2944 wrote to memory of 2700	2944	cmd.exe	43
PID 2944 wrote to memory of 2700	2944	cmd.exe	43
PID 2944 wrote to memory of 2700	2944	cmd.exe	43
PID 2700 wrote to memory of 2228	2700	LDXTTA.exe	44
PID 2700 wrote to memory of 2228	2700	LDXTTA.exe	44
PID 2700 wrote to memory of 2228	2700	LDXTTA.exe	44
PID 2700 wrote to memory of 2228	2700	LDXTTA.exe	44
PID 2228 wrote to memory of 1404	2228	cmd.exe	46
PID 2228 wrote to memory of 1404	2228	cmd.exe	46
PID 2228 wrote to memory of 1404	2228	cmd.exe	46
PID 2228 wrote to memory of 1404	2228	cmd.exe	46
PID 1404 wrote to memory of 1184	1404	YDDR.exe	47
PID 1404 wrote to memory of 1184	1404	YDDR.exe	47
PID 1404 wrote to memory of 1184	1404	YDDR.exe	47
PID 1404 wrote to memory of 1184	1404	YDDR.exe	47
PID 1184 wrote to memory of 1884	1184	cmd.exe	49
PID 1184 wrote to memory of 1884	1184	cmd.exe	49
PID 1184 wrote to memory of 1884	1184	cmd.exe	49
PID 1184 wrote to memory of 1884	1184	cmd.exe	49
PID 1884 wrote to memory of 2428	1884	STJKQF.exe	50
PID 1884 wrote to memory of 2428	1884	STJKQF.exe	50
PID 1884 wrote to memory of 2428	1884	STJKQF.exe	50
PID 1884 wrote to memory of 2428	1884	STJKQF.exe	50
PID 2428 wrote to memory of 1676	2428	cmd.exe	52
PID 2428 wrote to memory of 1676	2428	cmd.exe	52
PID 2428 wrote to memory of 1676	2428	cmd.exe	52
PID 2428 wrote to memory of 1676	2428	cmd.exe	52

C:\Users\Admin\AppData\Local\Temp\a94f119a17976b55a6c9f415582f81c0N.exe
"C:\Users\Admin\AppData\Local\Temp\a94f119a17976b55a6c9f415582f81c0N.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\windows\FSJTIVL.exe.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\windows\FSJTIVL.exe
    C:\windows\FSJTIVL.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3028
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\windows\NIUMSP.exe.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2952
    - - C:\windows\NIUMSP.exe
        
        C:\windows\NIUMSP.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2112
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\IVLWDAH.exe.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\windows\IVLWDAH.exe
        
        C:\windows\IVLWDAH.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:760
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system32\MFEQGVV.exe.bat" "
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:916
        
        C:\windows\SysWOW64\MFEQGVV.exe
        
        C:\windows\system32\MFEQGVV.exe
        9⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\LDXTTA.exe.bat" "
        10⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\windows\LDXTTA.exe
        
        C:\windows\LDXTTA.exe
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system32\YDDR.exe.bat" "
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2228
        
        C:\windows\SysWOW64\YDDR.exe
        
        C:\windows\system32\YDDR.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1404
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system32\STJKQF.exe.bat" "
        14⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1184
        
        C:\windows\SysWOW64\STJKQF.exe
        
        C:\windows\system32\STJKQF.exe
        15⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\ZRTXW.exe.bat" "
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\windows\ZRTXW.exe
        
        C:\windows\ZRTXW.exe
        17⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\ZZSGPQU.exe.bat" "
        18⤵
        
        PID:1528
        
        C:\windows\ZZSGPQU.exe
        
        C:\windows\ZZSGPQU.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system32\LPLG.exe.bat" "
        20⤵
        Loads dropped DLL
        
        PID:828
        
        C:\windows\SysWOW64\LPLG.exe
        
        C:\windows\system32\LPLG.exe
        21⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:912
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system\JHEKRW.exe.bat" "
        22⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2580
        
        C:\windows\system\JHEKRW.exe
        
        C:\windows\system\JHEKRW.exe
        23⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\VXKCOT.exe.bat" "
        24⤵
        
        PID:904
        
        C:\windows\VXKCOT.exe
        
        C:\windows\VXKCOT.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system32\UKTFOV.exe.bat" "
        26⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1724
        
        C:\windows\SysWOW64\UKTFOV.exe
        
        C:\windows\system32\UKTFOV.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1120
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system32\QKAL.exe.bat" "
        28⤵
        Loads dropped DLL
        
        PID:2756
        
        C:\windows\SysWOW64\QKAL.exe
        
        C:\windows\system32\QKAL.exe
        29⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2812
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system\LVV.exe.bat" "
        30⤵
        Loads dropped DLL
        
        PID:2880
        
        C:\windows\system\LVV.exe
        
        C:\windows\system\LVV.exe
        31⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\MVBX.exe.bat" "
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:2664
        
        C:\windows\MVBX.exe
        
        C:\windows\MVBX.exe
        33⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system\EAYHFN.exe.bat" "
        34⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2844
        
        C:\windows\system\EAYHFN.exe
        
        C:\windows\system\EAYHFN.exe
        35⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system\LTTBU.exe.bat" "
        36⤵
        Loads dropped DLL
        
        PID:3008
        
        C:\windows\system\LTTBU.exe
        
        C:\windows\system\LTTBU.exe
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\MBRKV.exe.bat" "
        38⤵
        
        PID:2984
        
        C:\windows\MBRKV.exe
        
        C:\windows\MBRKV.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system32\WWVDQ.exe.bat" "
        40⤵
        Loads dropped DLL
        
        PID:2460
        
        C:\windows\SysWOW64\WWVDQ.exe
        
        C:\windows\system32\WWVDQ.exe
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2904
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system32\FEGESK.exe.bat" "
        42⤵
        Loads dropped DLL
        
        PID:1184
        
        C:\windows\SysWOW64\FEGESK.exe
        
        C:\windows\system32\FEGESK.exe
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2504
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system32\CGOBVKP.exe.bat" "
        44⤵
        Loads dropped DLL
        
        PID:2296
        
        C:\windows\SysWOW64\CGOBVKP.exe
        
        C:\windows\system32\CGOBVKP.exe
        45⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2276
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system\MEG.exe.bat" "
        46⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:672
        
        C:\windows\system\MEG.exe
        
        C:\windows\system\MEG.exe
        47⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system\CXOAKV.exe.bat" "
        48⤵
        Loads dropped DLL
        
        PID:2128
        
        C:\windows\system\CXOAKV.exe
        
        C:\windows\system\CXOAKV.exe
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2512
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system32\QXUYLU.exe.bat" "
        50⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1368
        
        C:\windows\SysWOW64\QXUYLU.exe
        
        C:\windows\system32\QXUYLU.exe
        51⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1772
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\NAQ.exe.bat" "
        52⤵
        
        PID:564
        
        C:\windows\NAQ.exe
        
        C:\windows\NAQ.exe
        53⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system\BAXAZI.exe.bat" "
        54⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2308
        
        C:\windows\system\BAXAZI.exe
        
        C:\windows\system\BAXAZI.exe
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system32\SNT.exe.bat" "
        56⤵
        Loads dropped DLL
        
        PID:1496
        
        C:\windows\SysWOW64\SNT.exe
        
        C:\windows\system32\SNT.exe
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2540
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system32\RAQDPGJ.exe.bat" "
        58⤵
        Loads dropped DLL
        
        PID:2164
        
        C:\windows\SysWOW64\RAQDPGJ.exe
        
        C:\windows\system32\RAQDPGJ.exe
        59⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2208
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\RIPEP.exe.bat" "
        60⤵
        System Location Discovery: System Language Discovery
        
        PID:2820
        
        C:\windows\RIPEP.exe
        
        C:\windows\RIPEP.exe
        61⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\DDQJP.exe.bat" "
        62⤵
        
        PID:2992
        
        C:\windows\DDQJP.exe
        
        C:\windows\DDQJP.exe
        63⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\NBIV.exe.bat" "
        64⤵
        
        PID:2688
        
        C:\windows\NBIV.exe
        
        C:\windows\NBIV.exe
        65⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system\XDE.exe.bat" "
        66⤵
        Loads dropped DLL
        
        PID:2456
        
        C:\windows\system\XDE.exe
        
        C:\windows\system\XDE.exe
        67⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system32\OQBNRBH.exe.bat" "
        68⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1564
        
        C:\windows\SysWOW64\OQBNRBH.exe
        
        C:\windows\system32\OQBNRBH.exe
        69⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2980
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system\ALD.exe.bat" "
        70⤵
        Loads dropped DLL
        
        PID:2872
        
        C:\windows\system\ALD.exe
        
        C:\windows\system\ALD.exe
        71⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system32\GJANUD.exe.bat" "
        72⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2484
        
        C:\windows\SysWOW64\GJANUD.exe
        
        C:\windows\system32\GJANUD.exe
        73⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2108
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system\XWXFLLX.exe.bat" "
        74⤵
        Loads dropped DLL
        
        PID:1888
        
        C:\windows\system\XWXFLLX.exe
        
        C:\windows\system\XWXFLLX.exe
        75⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\NPFRJ.exe.bat" "
        76⤵
        
        PID:2496
        
        C:\windows\NPFRJ.exe
        
        C:\windows\NPFRJ.exe
        77⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system\VZSL.exe.bat" "
        78⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\windows\system\VZSL.exe
        
        C:\windows\system\VZSL.exe
        79⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system\HEWS.exe.bat" "
        80⤵
        Loads dropped DLL
        
        PID:828
        
        C:\windows\system\HEWS.exe
        
        C:\windows\system\HEWS.exe
        81⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system\VPRJVL.exe.bat" "
        82⤵
        Loads dropped DLL
        
        PID:1600
        
        C:\windows\system\VPRJVL.exe
        
        C:\windows\system\VPRJVL.exe
        83⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\WVCZ.exe.bat" "
        84⤵
        
        PID:548
        
        C:\windows\WVCZ.exe
        
        C:\windows\WVCZ.exe
        85⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\QNPWP.exe.bat" "
        86⤵
        
        PID:1452
        
        C:\windows\QNPWP.exe
        
        C:\windows\QNPWP.exe
        87⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2056
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system\GFW.exe.bat" "
        88⤵
        Loads dropped DLL
        
        PID:652
        
        C:\windows\system\GFW.exe
        
        C:\windows\system\GFW.exe
        89⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system\EDIC.exe.bat" "
        90⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2804
        
        C:\windows\system\EDIC.exe
        
        C:\windows\system\EDIC.exe
        91⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system32\WGICD.exe.bat" "
        92⤵
        Loads dropped DLL
        
        PID:2408
        
        C:\windows\SysWOW64\WGICD.exe
        
        C:\windows\system32\WGICD.exe
        93⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2840
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\BLNJ.exe.bat" "
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:840
        
        C:\windows\BLNJ.exe
        
        C:\windows\BLNJ.exe
        95⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system32\BTLS.exe.bat" "
        96⤵
        Loads dropped DLL
        
        PID:1860
        
        C:\windows\SysWOW64\BTLS.exe
        
        C:\windows\system32\BTLS.exe
        97⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1704
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system\JLGMSQ.exe.bat" "
        98⤵
        Loads dropped DLL
        
        PID:1800
        
        C:\windows\system\JLGMSQ.exe
        
        C:\windows\system\JLGMSQ.exe
        99⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system\VBZEFUX.exe.bat" "
        100⤵
        
        PID:2892
        
        C:\windows\system\VBZEFUX.exe
        
        C:\windows\system\VBZEFUX.exe
        101⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system32\JBGKH.exe.bat" "
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:3044
        
        C:\windows\SysWOW64\JBGKH.exe
        
        C:\windows\system32\JBGKH.exe
        103⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1516
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system\IOPMHD.exe.bat" "
        104⤵
        
        PID:1968
        
        C:\windows\system\IOPMHD.exe
        
        C:\windows\system\IOPMHD.exe
        105⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system32\WPBSZ.exe.bat" "
        106⤵
        
        PID:1884
        
        C:\windows\SysWOW64\WPBSZ.exe
        
        C:\windows\system32\WPBSZ.exe
        107⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2428
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\FZK.exe.bat" "
        108⤵
        
        PID:2488
        
        C:\windows\FZK.exe
        
        C:\windows\FZK.exe
        109⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\RUZFSB.exe.bat" "
        110⤵
        
        PID:3020
        
        C:\windows\RUZFSB.exe
        
        C:\windows\RUZFSB.exe
        111⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system\MXB.exe.bat" "
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:1588
        
        C:\windows\system\MXB.exe
        
        C:\windows\system\MXB.exe
        113⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:264
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\UPPPFVZ.exe.bat" "
        114⤵
        
        PID:2352
        
        C:\windows\UPPPFVZ.exe
        
        C:\windows\UPPPFVZ.exe
        115⤵
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system\HFNBFXG.exe.bat" "
        116⤵
        
        PID:2308
        
        C:\windows\system\HFNBFXG.exe
        
        C:\windows\system\HFNBFXG.exe
        117⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system32\JFB.exe.bat" "
        118⤵
        
        PID:768
        
        C:\windows\SysWOW64\JFB.exe
        
        C:\windows\system32\JFB.exe
        119⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:2336
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\XIVGJ.exe.bat" "
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:2740
        
        C:\windows\XIVGJ.exe
        
        C:\windows\XIVGJ.exe
        121⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system32\XQI.exe.bat" "
        122⤵
        
        PID:2864
        
        C:\windows\SysWOW64\XQI.exe
        
        C:\windows\system32\XQI.exe
        123⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2820
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system32\LYOV.exe.bat" "
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:2852
        
        C:\windows\SysWOW64\LYOV.exe
        
        C:\windows\system32\LYOV.exe
        125⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1300
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\KLXFDJR.exe.bat" "
        126⤵
        
        PID:788
        
        C:\windows\KLXFDJR.exe
        
        C:\windows\KLXFDJR.exe
        127⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system32\RJVS.exe.bat" "
        128⤵
        System Location Discovery: System Language Discovery
        
        PID:916
        
        C:\windows\SysWOW64\RJVS.exe
        
        C:\windows\system32\RJVS.exe
        129⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2476
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\TBVPW.exe.bat" "
        130⤵
        System Location Discovery: System Language Discovery
        
        PID:2964
        
        C:\windows\TBVPW.exe
        
        C:\windows\TBVPW.exe
        131⤵
        Drops file in Windows directory
        
        PID:2700
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\FROHSW.exe.bat" "
        132⤵
        
        PID:2672
        
        C:\windows\FROHSW.exe
        
        C:\windows\FROHSW.exe
        133⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system\YOMFOW.exe.bat" "
        134⤵
        
        PID:2228
        
        C:\windows\system\YOMFOW.exe
        
        C:\windows\system\YOMFOW.exe
        135⤵
        Drops file in Windows directory
        
        PID:1388
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system\WMJ.exe.bat" "
        136⤵
        
        PID:812
        
        C:\windows\system\WMJ.exe
        
        C:\windows\system\WMJ.exe
        137⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\PKHYFND.exe.bat" "
        138⤵
        
        PID:2064
        
        C:\windows\PKHYFND.exe
        
        C:\windows\PKHYFND.exe
        139⤵
        Drops file in Windows directory
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\PXEI.exe.bat" "
        140⤵
        
        PID:2116
        
        C:\windows\PXEI.exe
        
        C:\windows\PXEI.exe
        141⤵
        Drops file in System32 directory
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system32\MAMFA.exe.bat" "
        142⤵
        
        PID:1484
        
        C:\windows\SysWOW64\MAMFA.exe
        
        C:\windows\system32\MAMFA.exe
        143⤵
        Drops file in Windows directory
        
        PID:1140
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system\FSOISHU.exe.bat" "
        144⤵
        System Location Discovery: System Language Discovery
        
        PID:572
        
        C:\windows\system\FSOISHU.exe
        
        C:\windows\system\FSOISHU.exe
        145⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:472
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system\LQMD.exe.bat" "
        146⤵
        
        PID:2360
        
        C:\windows\system\LQMD.exe
        
        C:\windows\system\LQMD.exe
        147⤵
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system\UYXXY.exe.bat" "
        148⤵
        
        PID:1496
        
        C:\windows\system\UYXXY.exe
        
        C:\windows\system\UYXXY.exe
        149⤵
        System Location Discovery: System Language Discovery
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system\AYRKR.exe.bat" "
        150⤵
        System Location Discovery: System Language Discovery
        
        PID:2336
        
        C:\windows\system\AYRKR.exe
        
        C:\windows\system\AYRKR.exe
        151⤵
        Drops file in System32 directory
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system32\ZTANR.exe.bat" "
        152⤵
        System Location Discovery: System Language Discovery
        
        PID:2620
        
        C:\windows\SysWOW64\ZTANR.exe
        
        C:\windows\system32\ZTANR.exe
        153⤵
        Drops file in Windows directory
        
        PID:2824
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system\BLNJFO.exe.bat" "
        154⤵
        System Location Discovery: System Language Discovery
        
        PID:2784
        
        C:\windows\system\BLNJFO.exe
        
        C:\windows\system\BLNJFO.exe
        155⤵
        Drops file in Windows directory
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\NBG.exe.bat" "
        156⤵
        
        PID:2188
        
        C:\windows\NBG.exe
        
        C:\windows\NBG.exe
        157⤵
        System Location Discovery: System Language Discovery
        
        PID:1300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\ROVWRBH.exe.bat" "
        158⤵
        
        PID:2184
        
        C:\windows\ROVWRBH.exe
        
        C:\windows\ROVWRBH.exe
        159⤵
        Drops file in System32 directory
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system32\ORRTLI.exe.bat" "
        160⤵
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\windows\SysWOW64\ORRTLI.exe
        
        C:\windows\system32\ORRTLI.exe
        161⤵
        Drops file in System32 directory
        
        PID:2916
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system32\GZMKD.exe.bat" "
        162⤵
        
        PID:616
        
        C:\windows\SysWOW64\GZMKD.exe
        
        C:\windows\system32\GZMKD.exe
        163⤵
        System Location Discovery: System Language Discovery
        
        PID:1764
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system\GMV.exe.bat" "
        164⤵
        
        PID:2960
        
        C:\windows\system\GMV.exe
        
        C:\windows\system\GMV.exe
        165⤵
        Drops file in Windows directory
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\TMHS.exe.bat" "
        166⤵
        System Location Discovery: System Language Discovery
        
        PID:424
        
        C:\windows\TMHS.exe
        
        C:\windows\TMHS.exe
        167⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system\OCS.exe.bat" "
        168⤵
        System Location Discovery: System Language Discovery
        
        PID:2156
        
        C:\windows\system\OCS.exe
        
        C:\windows\system\OCS.exe
        169⤵
        Drops file in Windows directory
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\THPDX.exe.bat" "
        170⤵
        
        PID:1872
        
        C:\windows\THPDX.exe
        
        C:\windows\THPDX.exe
        171⤵
        Drops file in System32 directory
        
        PID:996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system32\IKG.exe.bat" "
        172⤵
        
        PID:1040
        
        C:\windows\SysWOW64\IKG.exe
        
        C:\windows\system32\IKG.exe
        173⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1672
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system\SNUPBRC.exe.bat" "
        174⤵
        
        PID:1504
        
        C:\windows\system\SNUPBRC.exe
        
        C:\windows\system\SNUPBRC.exe
        175⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system\RAERCS.exe.bat" "
        176⤵
        
        PID:3060
        
        C:\windows\system\RAERCS.exe
        
        C:\windows\system\RAERCS.exe
        177⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\WFIHB.exe.bat" "
        178⤵
        
        PID:2696
        
        C:\windows\WFIHB.exe
        
        C:\windows\WFIHB.exe
        179⤵
        Drops file in Windows directory
        
        PID:704
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\LAEDVNF.exe.bat" "
        180⤵
        
        PID:108
        
        C:\windows\LAEDVNF.exe
        
        C:\windows\LAEDVNF.exe
        181⤵
        Drops file in Windows directory
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\HJDJW.exe.bat" "
        182⤵
        
        PID:1656
        
        C:\windows\HJDJW.exe
        
        C:\windows\HJDJW.exe
        183⤵
        Drops file in Windows directory
        
        PID:868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\WDGGQTB.exe.bat" "
        184⤵
        
        PID:2888
        
        C:\windows\WDGGQTB.exe
        
        C:\windows\WDGGQTB.exe
        185⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1120
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\CBEB.exe.bat" "
        186⤵
        
        PID:2176
        
        C:\windows\CBEB.exe
        
        C:\windows\CBEB.exe
        187⤵
        Drops file in Windows directory
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system\VGO.exe.bat" "
        188⤵
        System Location Discovery: System Language Discovery
        
        PID:2032
        
        C:\windows\system\VGO.exe
        
        C:\windows\system\VGO.exe
        189⤵
        Drops file in System32 directory
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system32\AEZ.exe.bat" "
        190⤵
        
        PID:2680
        
        C:\windows\SysWOW64\AEZ.exe
        
        C:\windows\system32\AEZ.exe
        191⤵
        Drops file in System32 directory
        
        PID:1292
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system32\CEYV.exe.bat" "
        192⤵
        
        PID:1640
        
        C:\windows\SysWOW64\CEYV.exe
        
        C:\windows\system32\CEYV.exe
        193⤵
        System Location Discovery: System Language Discovery
        
        PID:2536
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system32\PUXHYT.exe.bat" "
        194⤵
        
        PID:1632
        
        C:\windows\SysWOW64\PUXHYT.exe
        
        C:\windows\system32\PUXHYT.exe
        195⤵
        Drops file in System32 directory
        
        PID:1524
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system32\WRV.exe.bat" "
        196⤵
        
        PID:884
        
        C:\windows\SysWOW64\WRV.exe
        
        C:\windows\system32\WRV.exe
        197⤵
        Drops file in Windows directory
        
        PID:2932
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system\SXNJ.exe.bat" "
        198⤵
        System Location Discovery: System Language Discovery
        
        PID:960
        
        C:\windows\system\SXNJ.exe
        
        C:\windows\system\SXNJ.exe
        199⤵
        System Location Discovery: System Language Discovery
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\FCKZCU.exe.bat" "
        200⤵
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\windows\FCKZCU.exe
        
        C:\windows\FCKZCU.exe
        201⤵
        Drops file in Windows directory
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system\ZVJNZMQ.exe.bat" "
        202⤵
        
        PID:2420
        
        C:\windows\system\ZVJNZMQ.exe
        
        C:\windows\system\ZVJNZMQ.exe
        203⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\UFMEX.exe.bat" "
        204⤵
        
        PID:2520
        
        C:\windows\UFMEX.exe
        
        C:\windows\UFMEX.exe
        205⤵
        Drops file in System32 directory
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system32\GABRNSM.exe.bat" "
        206⤵
        
        PID:828
        
        C:\windows\SysWOW64\GABRNSM.exe
        
        C:\windows\system32\GABRNSM.exe
        207⤵
        Drops file in Windows directory
        
        PID:2436
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system\SQH.exe.bat" "
        208⤵
        System Location Discovery: System Language Discovery
        
        PID:924
        
        C:\windows\system\SQH.exe
        
        C:\windows\system\SQH.exe
        209⤵
        Drops file in System32 directory
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system32\ELIPS.exe.bat" "
        210⤵
        
        PID:2508
        
        C:\windows\SysWOW64\ELIPS.exe
        
        C:\windows\system32\ELIPS.exe
        211⤵
        Drops file in Windows directory
        
        PID:2300
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system\ALO.exe.bat" "
        212⤵
        
        PID:2372
        
        C:\windows\system\ALO.exe
        
        C:\windows\system\ALO.exe
        213⤵
        Drops file in System32 directory
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system32\MBING.exe.bat" "
        214⤵
        
        PID:2084
        
        C:\windows\SysWOW64\MBING.exe
        
        C:\windows\system32\MBING.exe
        215⤵
        Drops file in System32 directory
        
        PID:2348
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system32\RGKGD.exe.bat" "
        216⤵
        
        PID:2860
        
        C:\windows\SysWOW64\RGKGD.exe
        
        C:\windows\system32\RGKGD.exe
        217⤵
        
        PID:2404
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\YEI.exe.bat" "
        218⤵
        
        PID:2812
        
        C:\windows\YEI.exe
        
        C:\windows\YEI.exe
        219⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1120
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system32\AZLVCMZ.exe.bat" "
        220⤵
        
        PID:2624
        
        C:\windows\SysWOW64\AZLVCMZ.exe
        
        C:\windows\system32\AZLVCMZ.exe
        221⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2616
        
        C:\windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\windows\system\WZSBVTT.exe.bat" "
        222⤵
        System Location Discovery: System Language Discovery
        
        PID:760
        
        C:\windows\system\WZSBVTT.exe
        
        C:\windows\system\WZSBVTT.exe
        223⤵
        
        PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\BLNJ.exe.bat

Filesize
54B

MD5
cc214f522eabad4c0183400b69558193

SHA1
5ddcb6e09de9cc90cf4cf194ec6611f5c510e975

SHA256
7a8515c7395d9dca96d3051f975b9755f52059668d81bf97092a1e19afa12588

SHA512
aee38bcc8e591e5d99051e8228a90cc16419ffd09aa8147b3113730d2bd650dae46ed0a16b4cdadaf3b91191f1616b20b7c0b660b2f34d04aa1c2b23e5c9bf92

Download Submit
C:\Windows\CBEB.exe.bat

Filesize
54B

MD5
776ed3060e9262711183c9e6fda53cc9

SHA1
86ae36da7b1e5acaa409df0c0bf52aa89b498734

SHA256
c3448cf456e647b3d18190215202a4db3c7a691b70bd4fd29cf1d3b5ecea77e9

SHA512
2932e0626192cafd513f2d3bb32da9e646f4faa0c386a7dc24c5274f6afe9c200c3881484e3e97183cb0767e31d7338e2ed090ed4105b6c06d97ef5268ee3378

Download Submit
C:\Windows\DDQJP.exe.bat

Filesize
56B

MD5
609f0007605622cff7e74339d949893d

SHA1
d10c106937deeadf144b6d49a9e0ba620738c28b

SHA256
789563cf02facd1423f29048fd640956a25ec046b9bbc20e53531147eeba4af6

SHA512
1f47dbd5a09b01160cee73c95cb6288cfe367ea0277732ab09936741ba8a2fa9bcdd56fed53e8ec93b973e31adba8ca6e114bac9a4b1ed8c9a198331aa57f906

Download Submit
C:\Windows\FCKZCU.exe.bat

Filesize
58B

MD5
26b02d6ce0866103211b769743f06558

SHA1
03be15960c8c6aef0e70a9ecd032344941e29476

SHA256
4a76eab4555a38edd33e744b03b3b32ccdc10f3cbbea34b5a3000fae7dbebbf0

SHA512
d5f728cacc3d6636684fba914c40b6a73bffe0a8463a5a4ff45808f81a24444cb82993d6e3b4f3552f4385817cfc820d3b5eaa3ad9139464dcbed2e38c5fe7c2

Download Submit
C:\Windows\FROHSW.exe.bat

Filesize
58B

MD5
03ea13b31a463d3b287ad339bb5640b9

SHA1
66acf23369f6eefa8d88d92f45e576165e568405

SHA256
21da6c10a5776be173fe472113de47f59a8bd2be4b056c5f5f17e9c22ca10113

SHA512
e0c77348acdb58327e73091b0ac3bf915a16f378fad5c91fb83f44063b854a8ab651bdc36575eb96b562077a8eb9c489946182923871f70aa5e117a0fe6bb34a

Download Submit
C:\Windows\FSJTIVL.exe.bat

Filesize
60B

MD5
da53b0afb1c86598f8fbc74ec20f700f

SHA1
11efa00d57b73cc11b140c81a7c37366220b9a94

SHA256
3a19aca9da2e2adb397d3212ca4a93efaa83c2ec8142ea75ecfabee0991fcd8b

SHA512
298f0f1cc69f2f43e73eb8f5349394954fd58bc028e46137987030cef65ce952f37cc1dd1882090b21c3f3d956e8d656849cacabcc78609e453a1a3e1f7b9b5d

Download Submit
C:\Windows\FZK.exe.bat

Filesize
52B

MD5
a7cfbcf4114b9929344912bd49d15d7e

SHA1
ee6f90da954620af131c53af89d98570c3629b4f

SHA256
22e181900457495ea0651f92d3a8cbad5a7e4a23664f4e9726a588af7847bbd2

SHA512
9a31251c2b46a187a74ce7ac8ad2e43847f103e199ebe7c7d93e1c3783bb65b52e40ae4c0aea950505f9a9f656473dc783c100b0d730c4a32865cfccc315c886

Download Submit
C:\Windows\HJDJW.exe.bat

Filesize
56B

MD5
d14feb0f6d29239eed446f8272757612

SHA1
e23934ab0200aa1981f9821bb5350333b48b1109

SHA256
e0bd174b55cf40e86d31dfe7a270746c64f03e12c774a6321e17ca8085c75a15

SHA512
e21ca159fac33a0cf20fcede889a8a4e9646b096c669f906e4b4ceeb286261a16ad74e2c9076f119fdebd3faf621edf0d3526ede1dfaa7c4700785ec7c10e448

Download Submit
C:\Windows\IVLWDAH.exe.bat

Filesize
60B

MD5
2aa95919db6b8f784e92d49320ac5de0

SHA1
037287f01e05a62f5cef0ff9933d6dc967bf4ec0

SHA256
eb8d322e2813c9f68c36eabfa6653771ce47d6a61979d2f11f9aea3e297cd6bc

SHA512
185cfa5c031a8d1650784770333a7635529a06460be0c6558b1cc2b92088e8786b409b7c8c1208f390b493ab6aa14fb2d14a49671524b4809fd03478a78f8408

Download Submit
C:\Windows\KLXFDJR.exe.bat

Filesize
60B

MD5
71a609116c0272bfbaef0caf0f4f8f2b

SHA1
2db8d6407f1d61cca9ae6166b8c5d56f98db201e

SHA256
6f63799e3bba0fa069130764c911208278117f53061f3bbd40842e6259c1af8e

SHA512
d2dbbf5f6575fd6179890e89a1781cc639ee0857574ad30cce8290fa4fcbb466513bae11f53589b9c1b2f83bd661eddbdbb91b279e2cfc95ef0bba5c43a62698

Download Submit
C:\Windows\LAEDVNF.exe.bat

Filesize
60B

MD5
31dab91cd8ae75798a2b539c42ea204f

SHA1
3e386c398608e8d6996d0396aeb766537fab436b

SHA256
1eb80ac7fb948fe7394901344ffa582663a679858d2421b57096f5f73c3d2c3a

SHA512
30e5347a3c3ac6342417cf2777bb7165280b57299f37929c6c4ec0d6aee1a8c122c1da3f638d85ba5b946d0b6cdba392dd83dc5560bc78ee9cbe6d2f8e8deb25

Download Submit
C:\Windows\LDXTTA.exe.bat

Filesize
58B

MD5
9e37991318cc23b28b7346f47625908b

SHA1
f817a1d43ada8d51c5499c7eda774d858d511534

SHA256
7980baedda330929565cda139672db94fedfec8ed4670de1f409a4bcc74ccef0

SHA512
ad57941dea99030a9f880452fd8c872840c2b0b4ff919c26af403c7dd73f5d7b802166f52c26ee30d8025bf85c01a5f03200e7fea8ab90682dec8952aca90979

Download Submit
C:\Windows\MBRKV.exe.bat

Filesize
56B

MD5
ac9adf3fc73d919cc8b766ae2f67857d

SHA1
1e44d4f04a759ef0718910c44233ca0797a16841

SHA256
13e54c00fbd05876450f8157bb13f5fc9b3c9d5cfa89d2368f943cc7d95c5196

SHA512
e5ae6a63f3f7370582bf1e7706fdb343db97bd39c73cca4c5252461ebcf547bff3486f06ba85d2b7bad2436b720dbb513152ee0e51a73b9c689f88cafdd66923

Download Submit
C:\Windows\MVBX.exe.bat

Filesize
54B

MD5
edd0b2fecb126246e36d4e7d2a7d7c9a

SHA1
29a33a80820102b969c8233396054331e2e29cb2

SHA256
954dbdc7de2453432e175a50cadcce70dd511e1ddd905d3a13b7b2384118c9a3

SHA512
382b032cb48ac5d247afcab1140d0dc870d861f1d662ec9869a8747ff94b092717b405d4d61ea491a9776754be00a735854c6906b8efd0494e89b1a1b9a3a5fa

Download Submit
C:\Windows\NAQ.exe.bat

Filesize
52B

MD5
1c333b41be1ed5c76dcb7febec56225c

SHA1
ecfb9f79899dda4dcea8d19a4c1a83d45e2bada2

SHA256
68cf6e7d0793aea1790294913579c0c212ac966c45bdd0586bcd73184c9a7c22

SHA512
5c69624c2592fd8568ce267bf89a0a517481c2bc3e132991e7fe60800a1eea97c1e4c61d5835389cc4af45e0a2419d8ae901f9c42bcb61c9a7673acec16b5efa

Download Submit
C:\Windows\NBG.exe.bat

Filesize
52B

MD5
cf9fd8d68df62b04a3c58cc02220bba5

SHA1
82457acb90c2f3a511c69faf4c8724b9bb2c875d

SHA256
2db7d8b07d55161276d70b8f52d7e799a368dc9a7fe678f73920c8bf7c731668

SHA512
77c23a7a51807b0f133199503e5a300db135f337e966e5119de2d18245e53f4aadd92056c3317e08315f5acbfbe1c32f294ac7005545fe941f233c7d4dceb509

Download Submit
C:\Windows\NBIV.exe.bat

Filesize
54B

MD5
b727dd4ab5aac8be4a28060b6aaff253

SHA1
f1214f1bc4c3d9d161275abacb490ed9e72878b6

SHA256
57f60657b794f773814b9cc12d3635d098306663eaa19ea73351ddb26b0473cf

SHA512
3a3034f6cef3f73cc2cb832bf22aae9d4fe8ad6e7eaa5cbe3467d34cc064272bc5592bce83a23ac31919a13c448e06751c7ba7f168f79520b40d6c537400782f

Download Submit
C:\Windows\NIUMSP.exe

Filesize
208KB

MD5
df8e6f2eb0582354926bd9f0533042c7

SHA1
80420a8ac74e76772b671bd0b0323a3922fa1382

SHA256
b1081e5e1107531737941a230aad2c07bb77f4dc579dd4eb2527929004671628

SHA512
50ac590c60462545f540bf1fdefab8b9b3f11c4e02bdaa2872b8653e03f9a4c4b9d10a1af3939cddbe27fb38f5e65a5dfb569788b165410df51b371a0d33b8f9

Download Submit
C:\Windows\NIUMSP.exe

Filesize
208KB

MD5
e8a7caa06e2e3f5729654b4fd0b6738f

SHA1
55edf4b5625e62ff0b62071f0f0acdfe19d66769

SHA256
179192d4468f9299b2717861f61d83b1fdfc4d0286a4657af2816141bac94514

SHA512
c6d7eba5ebf522a0067e125d82c842df2738148fd8387360009162b6975d060d5fb05e6fabbd9f833197b0e7e3dcbe5b5dee3282d84b69cefde339caa16095a5

Download Submit
C:\Windows\NIUMSP.exe.bat

Filesize
58B

MD5
961c4523741e8883030733594d7ed86c

SHA1
b6c1130dc7f6c97937e99c714ca435bf92bcc705

SHA256
ae0cd0d9f364b73975305e20218552e2dd4d7c56247777f500a324655b0aafca

SHA512
97d29c9f2857c0ed29d72f0f85ab1c14a4897894d886b1904cae69c202b1fce5c4683a7620840d38e135b93f602f13575555dbe037d7541e8e56619b0ae902be

Download Submit
C:\Windows\NPFRJ.exe.bat

Filesize
56B

MD5
ea692bb8b54c917c8db1bdf779c91a7e

SHA1
6eebe794a6a8829f23ff5e90af1b44f3aacc9e66

SHA256
d92d8accb2b538c67f0528ebda0d31b44cf18a2ca6de9dcfb5f3b6d771bd1164

SHA512
7e59ced08a9610ea69e63d5ceb9789e25a0706e54e1457e2da9676252445af2e602f61c5af116ea2338b91c46a1e9310fd403a007a7e8c742cf1aef75d64cb5f

Download Submit
C:\Windows\PKHYFND.exe.bat

Filesize
60B

MD5
3aa5c19c9447ea306bf67cb01efab83c

SHA1
fc716ed99c66337107023b339857a21a1d024a2a

SHA256
fe606d17ebcee34b3514adc386e8521e035d7b1b00772b7cc324186517c820cd

SHA512
72dc7aeec5046d1f9ecf8979f9ad323f3b133a21e49eff1edd8e224cf8b1a32dd113a4e5a4b3bfc84c65b50367d8519451b69915239ba03af0e2d730018d29e1

Download Submit
C:\Windows\PXEI.exe.bat

Filesize
54B

MD5
4f6bdbd198b986541140ba26a4d972fa

SHA1
5a4dc745b915b1732e1e6fffbd05b185bb679384

SHA256
2f35aa26024141ff7af9031cb9d14eddbab30bf3caba53243f2a1ae1ae1f1780

SHA512
c228da44452fd123c5de496c30263a6193a399e44baa50bfa803c73dac3bee742d3dcc7aba7c252e89b416628d90a6ba8f5a8da46ab6f987f1e0b73f798ed633

Download Submit
C:\Windows\QNPWP.exe.bat

Filesize
56B

MD5
b8ad6d932c0e93b1ee7d06f75072f23e

SHA1
28e7cc0c7b7368389ac56227a1c016942c119487

SHA256
2496f7653941379796d2fd765c48048a2d0d669bebd3a5af84f84bb2989a5eee

SHA512
3a9075a70f074199eb1f53d4c97a67fc6cd77552718760ec10592b3fdd3691b1f66480ede8edae5e7ae1eff556a0e413e853065d3b0709fb76cdef6f42dbf3fb

Download Submit
C:\Windows\RIPEP.exe.bat

Filesize
56B

MD5
70047f33024710d9ee3aebd487ed55ba

SHA1
db47ecdb93098b59d6409b70ff49622854445f97

SHA256
e278f5aa160d71ad74bcb8c3f0b5753fed79f0bbd9b4dc9d62e2213fc89c440a

SHA512
72e8b3918e1e108e48f1db29c117fd4adb53f4264d2d3abf623c95ebcd4e6edf47f368582b8c0da935a7653a7996708bdde48df622f20394c00d9452a578c3db

Download Submit
C:\Windows\ROVWRBH.exe.bat

Filesize
60B

MD5
09bc6a16353fedfd1dbebee3e3aa71a4

SHA1
fd7a44dbc365bc3cad3f0f4b1c9ba916452022e3

SHA256
8cd72c92ffe36f7f19c0603a4abfe83e718b54fd486744f35b2f5ea317d68f1f

SHA512
5aba5716dbf196d5238c259d0ee77fed080d5b07caa5d21ff6a2804a8b2f96dbf89c108d81563e04931ff24f55e737f238f3d7f2b3280149c8fcf2a045ffa4ee

Download Submit
C:\Windows\RUZFSB.exe.bat

Filesize
58B

MD5
d8fa3ea86f0dba779474c15f0aeb35f1

SHA1
a14d004dfd9d6a675569e5b7f81a823be1c8f23c

SHA256
166c68f9b16a9d611ce5ffd3e5ac499213ce16cc2113b8a64cb2e0500c057101

SHA512
b1d91dbec5faa482255ac80d1721366c5990e183dca0ec6593e04b7e3b94b02d592688857bfd94c582bcc94f6d2015c8484259be7a476e0d5dd51f09adf5a67a

Download Submit
C:\Windows\SysWOW64\AEZ.exe.bat

Filesize
70B

MD5
7d5f282b16c233a702bfb5be34fb67af

SHA1
a728e1c96fe8fb50110c8d48043314441ad24f9b

SHA256
4809682a429c4720455ff7c98f1e28ece93d1be078cb7643dfd5ab4889b4463b

SHA512
c30df15c9f6e1c7299ea88e0be2daa49221fa95f7607ab49e8a361e5f43df1a355e0909e111effd9b6c64054391a47ad21b88c662a45980ed40d0c44987ba7a3

Download Submit
C:\Windows\SysWOW64\AZLVCMZ.exe.bat

Filesize
78B

MD5
3cea408ddab0ffc70717bf47eb435899

SHA1
85add38f041fc8852007a148004f81f03018a35d

SHA256
7eb8919fbb5363100481ead9617e2a7aaea4d8db4f0acf4c755555b924c5ba6e

SHA512
23f5277bd8ce566954803a78e37cdaf9ff70f17b76c3ecad72ea188dbd52cc55748045b6134698c493272c85580c9912befb60c437a44803aa13ed2cbac79a6e

Download Submit
C:\Windows\SysWOW64\BTLS.exe.bat

Filesize
72B

MD5
253ad2a7f2475d68c15e03cea4565f46

SHA1
27dde98efd736e27f914a52e493966e9a6dedf85

SHA256
43a4ae58226ae58cb1a26ec3d2d8854c11c8bd8a3e9878bb09400e13e90c6f21

SHA512
cfad5e60fb73ecda62250ade3e7f59a23fbe3e2bc40fc651a0c68cbfa719993c6ca7bafb71e1c05e26019432a830bbb1dfd4a1398961184ddd3d79d5aaff946e

Download Submit
C:\Windows\SysWOW64\CEYV.exe.bat

Filesize
72B

MD5
207f734b27f0540cd21f16d573707428

SHA1
44e7d130f153d74d4e1ce8ffe5c68b2757aa2433

SHA256
d8c3a62fc975502727df63645f9626b2b8996008e91d129ba0ecdd89d450bab9

SHA512
31abb19f84f2e0f8b93c0f6f14fa255a0d1fe5f4f53accdebb19bff21f59b25411033047748358307952c9e3a2aff6e31acbcdcdf658271cf0c115eb993e97cb

Download Submit
C:\Windows\SysWOW64\CGOBVKP.exe.bat

Filesize
78B

MD5
628dfc4c514b75331c1e7818ed5d3768

SHA1
f5a28ddb19907d2fa942cc3022ba3e32b014f2df

SHA256
cb52916f31469ce7b803bd8ba8dcc8f7532d8bff42986cff78409de3fd96e469

SHA512
d75ba5fdfa984cc7a39f6a0a6042de7eb8ff228d04fa5dfb44e1e8e73a52a30f8f8dc6a9e98f421ea06245633c8a4e255fa4da68e3598bbc91156fdc1ee44a35

Download Submit
C:\Windows\SysWOW64\ELIPS.exe.bat

Filesize
74B

MD5
7af546ce282b7cb666689d08ad1e1e43

SHA1
4cd8d67acba405a3d8ab1aace6eb92626ccb914e

SHA256
e6aa056927d88db782c50144436652b0ce64d17114fb043719a57af9b6b7ae27

SHA512
97f14d2928dea0fcc4ad283d5c50d4ed26010b8edd0ba8a505ab1b8613743889f5c7d7bfe9f2e4c22df91ca23cb4b318dcc94aebc0642b56379ef7d6248b53be

Download Submit
C:\Windows\SysWOW64\FEGESK.exe.bat

Filesize
76B

MD5
7497309d3670c90389b72b8fa5454664

SHA1
6c51b549d57fdadcc5257b3d8241b92db8319bd7

SHA256
aa64e1580056060137ca1ee4a5236c1177c410bd0c92839a2e7d635bc216cc86

SHA512
6c36188d2acbdb1ef9a8bf243a22a60edc100258ffa38af649605bc54f92ca138913c7e59a97827c7149f7eeb472eb45361d8c65323f56ce9cd949a5a0ded3b8

Download Submit
C:\Windows\SysWOW64\GABRNSM.exe.bat

Filesize
78B

MD5
eb7f778b19c7663a0bc92ec5b22cd3a0

SHA1
8fcfd9856ddc2ecbbd6df76d8c4d0815cf24e9cf

SHA256
d8ee9b30097e3962d04698fa29caaab2386b96f1f5f0bd48a22f8a20828c5b4c

SHA512
8159df0ad5fa900ba6075064876b04a4a051140f1b14083a790b5d3bf3b6ba9556b9af02ab07b5d174078a2de690116ee1046d1bf3d5e12c6ee0a1420ebfdcf4

Download Submit
C:\Windows\SysWOW64\GJANUD.exe.bat

Filesize
76B

MD5
f66f3dee3374a549e5c3f80cf929a8ab

SHA1
2b284abd46f58958510c79fe4c2deb3ca29fdbe8

SHA256
2cacede65acc53aa3a12859448eb4a9c13d8bf5f3c0cca31da5a96ceddb06f09

SHA512
d46705edb53fdf4583c2b0fd8eb78d71bfaa7c8fe159272d6d626e66e105add20273c0874bbc337a88e0c613224deec5d6e964e9cd976a783e2f324b3d537eef

Download Submit
C:\Windows\SysWOW64\GZMKD.exe.bat

Filesize
74B

MD5
89d38d7bd291d8ca0d7ea56c8efa8d7c

SHA1
66556fa65cf3ab2d1bbaa36d0484971a1d7b4c04

SHA256
58b37088be2157eb641fcfed5063cffb090b95dee0f3c4f18188b41e4569b4b1

SHA512
cbc2ca7c78a509c3b471f3ab480e3308b41eb000b19763baad8e852f10e58442464c965a076b5fac3112f20b40773c08ce383263a0ab341adf31fac60020c6c5

Download Submit
C:\Windows\SysWOW64\IKG.exe.bat

Filesize
70B

MD5
e5eb0c42b520b1219e45efe2b8b37ff2

SHA1
ae22f217962347986ed2e4dd1c1ebb2410d05492

SHA256
edbd3f052a1c1c4aca12a18cdf6eea52157b9699581dd44c647bf48d846d1572

SHA512
b092ddac2a1325546a3c4baf98064927df1666f71a0f5a683c19a731154c4944fd59bb04d3ce34aac79e8b35c983c312d56ed3ed73fda95f1479aebacf033149

Download Submit
C:\Windows\SysWOW64\JBGKH.exe.bat

Filesize
74B

MD5
4e0322fe7b9521969bf4a5df4d787c9d

SHA1
770da259444b3b8125046bda3b577adb3895e8dd

SHA256
ee7c17ff290b191c9111b66e3ec647d03ac42fb35e0610378286dedc7c47b328

SHA512
612993c31f1fda59dae329364e5c93b69c16e3bc4d4866dff9e3f909c3911fabd1768d94c6f7ddab9c11c9b32136ca5a6cabe69f7e9b80cc14b2a8d8fc0debe4

Download Submit
C:\Windows\SysWOW64\JFB.exe.bat

Filesize
70B

MD5
fe9a68fdd96a11e4ed12c9bdd5ea3eb8

SHA1
954bba071f70073dc47dab240ccff79fa3d6a2d2

SHA256
db9c2d9fd9ea49fa1411bc1f2f114063fd65dd0b1f6c844607c0bbeb10133d6f

SHA512
48815b43b9b2c8c152cd386dc12fbcd703c233bf345552b61715d655838750ddb3772e0f86ffd1ade4f4fb591f89242651398317a4998c3920e9735748fa2e3f

Download Submit
C:\Windows\SysWOW64\LPLG.exe.bat

Filesize
72B

MD5
f3fe346560ece5e961223e4faedf30ae

SHA1
6fe7d590e8e11cb9a2e3200b00cfe8c287cf02b9

SHA256
c3b5ca686f58a0300eb57687f6aa7379f497e6341391927c0c28496ae17638a4

SHA512
1a210eaa59cca2649996866901cff9fe06977c5bf4a8a00df12fb3a1221e238fd97132276904a5864b17a09666037026b2dcbc7a2e79a0b469890fc6345e1c8f

Download Submit
C:\Windows\SysWOW64\LYOV.exe.bat

Filesize
72B

MD5
372a98b5c08ba5c4d73f90efe337b684

SHA1
696c51192e217b4cb2d4a47dce1fa41a91ce5ff0

SHA256
c982a6b617b6e874f87b8da0d4bc3e1e75f918d7585781b0250ab2b6b8d6f419

SHA512
0c74f80e2636efc6dd7d634651b6d9dcef047f68b8185d440a6a59679280eec8c4f54f254ac90b28c2e2fce26f6eaacd2d9e14639709827ab51d4eedb7b43dc8

Download Submit
C:\Windows\SysWOW64\MAMFA.exe.bat

Filesize
74B

MD5
415be1761be65b406e1e8ca773c05eae

SHA1
06842443fc5df865742c37a81ef7cfa4e651444d

SHA256
9847485d1bacb0f946306b5fbd80f80ef93be013e6f0e96cd019515a858e3286

SHA512
fde235636abe3fa57473dc2b0320df80c27b09902cbc68740d8e2fdd38bee910ff01b3a6b7bdea7e0e281163167d090ea127447afb9ad360a78f4e141e523d28

Download Submit
C:\Windows\SysWOW64\MBING.exe.bat

Filesize
74B

MD5
2a8511bd6d972427e1f1bbcf1632762a

SHA1
9df8dc213bc25c0119f8734ea04ebbf21a902d28

SHA256
8fa32cdb9b54acc64b99be7572f0a552728ceb0d6b32f3493fdb9d9bd0702747

SHA512
8b56aa97eaa864acfc5c46441bc24723513e197d161abc4efc6dd7aa6e64d98ff24711ff23e1aa35c65efe7edb451155be7c1be5176b7c7e64e31c3cac565d7d

Download Submit
C:\Windows\SysWOW64\MFEQGVV.exe.bat

Filesize
78B

MD5
18f68baf5fb1ee51b0c0cfaf18a90513

SHA1
04a879e10206f749b45b5d004ead36478b8aafe2

SHA256
7baa5147f024a7590c58fd93155410f556b89b074d62123988f1ad53614872c4

SHA512
dd327e289da0a2cd9f32a42d8b3d51b5a11c22039e75c430d4b77b06ec63e32cf600764126782c65b9298e55415f726de9b642d1d2704cd137f47893704e3520

Download Submit
C:\Windows\SysWOW64\OQBNRBH.exe.bat

Filesize
78B

MD5
0598a8b06e05798875bdaac88f423490

SHA1
e1b92620bee577278ab2ed479157b280a966b462

SHA256
3ef91e115f7c0fac311ef37ca82dec5d302ee09b7272d7fe4f23d8c8aa1a00b7

SHA512
23635adaa05916b27c01f63b1df96e4bd0e935aca7e195fea84903f34f6149e78161c16f8911192f5a99d4ebbc20fb8b5ba6fb113d4a02f7c863aff4b6834744

Download Submit
C:\Windows\SysWOW64\ORRTLI.exe.bat

Filesize
76B

MD5
0514ec23f3f8a6cda210c366e3d0c506

SHA1
8de09a6d66d4f4e97b1a41b2c9b4c5672e3fa3d4

SHA256
9dcc85d0632654132b60580b5d7abf331fba82c0ab3cef73c14f91755ed5af96

SHA512
6140d441a9cb71ea39ff70720f4a844b5e7c9d03c5ba6e9051af5e98696a9bbc7ed07e759883db5b4a0d04220dcf10fdd660fd3105695e09da6e2fd49190c1dd

Download Submit
C:\Windows\SysWOW64\PUXHYT.exe.bat

Filesize
76B

MD5
fb864fb578b849c4a2ea80b8e14f16e6

SHA1
ca48c6b862163b1a87fbc5b9dc12288970920e8e

SHA256
7fa7f1f13f658648632e92f274f847cce4abdb250524705edac352b1c46e6055

SHA512
28f57d87aee20503b0fcc56c16650c8b1dcfb5b98d9d88bb1d2c0de605b4abe3e3ebeb2d7c5964c50efe629dfdb331bcf64ed67f29ea44e9eecf0a733627e355

Download Submit
C:\Windows\SysWOW64\QKAL.exe.bat

Filesize
72B

MD5
49745812b2a40f8017956e7c3d4f5a58

SHA1
cfd2792629619f36c185a4ec45346f44690bd80c

SHA256
f8baa64c36e65384018a4c0f82177dc314d544687933c253981a49d79f321000

SHA512
87edbc578b83807124a7f9d6842018e34c6a55a0e219b2aef3cb48e4da24fb9ed9301e8df68987464e7da3ad49a389d2cac71bdab21e593ff2567dcc17e234d7

Download Submit
C:\Windows\SysWOW64\QXUYLU.exe.bat

Filesize
76B

MD5
03d6c5cbfef781af938a86099e94943a

SHA1
5fdc2a284a3350402648b37b058ccff8f8e37774

SHA256
2bfa85c53ec496e54ca36bdfa46de9fe91b172e32bf2e1576732dea1fe5d049c

SHA512
fc82cdd5120509a8a40cab95b92517940f62338bfd35773b19d184d9d4d4de03a2538efc50c4808657669a451dab79b0fd0e60fccc52ce12aba1f40142c4a74f

Download Submit
C:\Windows\SysWOW64\RAQDPGJ.exe.bat

Filesize
78B

MD5
8f1b68978c77a6d02afc4301557ffd29

SHA1
bcae0fa03b7739fb00972215e170ade0bdbb33a7

SHA256
3d66db5c1ef59f89f6553e8a636c0a50b62101999bcc4f650ca67b65ed37b4df

SHA512
14e26c42b2b8f1041ec2ef03c5bb22252b50b285646ba0ab3845720914ffc11394474589a1461cffeb2a9ae556ccaa93177f5524552327cfc3d2171b6b48d8bf

Download Submit
C:\Windows\SysWOW64\RGKGD.exe.bat

Filesize
74B

MD5
f6f9f2151078ddb5e0793bbf2b3cc0be

SHA1
f7ef19bd73ce2411355836f6fe80a058b789b16c

SHA256
4b564f5aeaac1d2f9a83f62b11f1fa9c67c88e5da88afd205e8a78c3be379f5a

SHA512
e0528f84af5f77da0f4031a59620d0c2c8197702add7efe8a08b3c5cb078b6ba69a18f3a6f39b5fe219a240d05d35c5f30254c1e7e35e2a0ea26fe974340ea8b

Download Submit
C:\Windows\SysWOW64\RJVS.exe.bat

Filesize
72B

MD5
ef070a2477ab2cde061b85952211528d

SHA1
fbe22411b6908cf211255c15e1a699d375962f7e

SHA256
ac6a3a1b68e709def6b2be00aeeeaf60bf0a01164319a3282ef3eb31a5c9cb1a

SHA512
ea0a99fedc6f855afc7ff2f770cc06f9529f8cadddb33849aac5973962099a733d8741b3b33936e13bab619519bc37bb08ab16b80e1e7e21c0b0793867154d59

Download Submit
C:\Windows\SysWOW64\SNT.exe.bat

Filesize
70B

MD5
497653c0efd49a7b99814a73c1e5c89b

SHA1
e10756819804bbc2aaf38b19a5f1fdc2dd55ac07

SHA256
c32a7f3880acf830f728afaa76ddaedaf9c994fedda7d43dd3e63faa1be74ed0

SHA512
a182b607cb37f3bd2a5951da46e8c658dc7628fc07805fe5e11411c9cb4f7297c5cf8464fb6f1263303c9dfb354928d9e879bce8c8585e9f83874ce04ae01aca

Download Submit
C:\Windows\SysWOW64\STJKQF.exe.bat

Filesize
76B

MD5
b3743d1d538bda5648c7a2ecc9cd3914

SHA1
caf2b0f561ea466f9a2215ef8b522233bb77e7b3

SHA256
9dd941ffafcb09df07db2c5f10d3e55c4d87b35e59f0fc0ce5af65759003e304

SHA512
0bd234429f14fae41dd13c0f2ab8e57b34997da342d3788aa1f03eeaa9aad4bc56bc2810d1af00ee575d3f0cdd89a672ff559fb42b6f9e1da11055f900ddec6a

Download Submit
C:\Windows\SysWOW64\UKTFOV.exe.bat

Filesize
76B

MD5
07bbb3f2049fc7a210177d47c862740d

SHA1
088b9b871a25691589275d46bea5b1c2ec22e623

SHA256
d3a7a829360e1fc9a71c14ced84b059dc85e8bb879c8b9ba3c795d13126fa8e7

SHA512
d31927286555ff194c39268d0f85b953f62d1a56d3e954b3915104157c9a743d53b441c6144eb68deea36b1eacba8cf81ab5087dcf0441ece97f1f58d6507331

Download Submit
C:\Windows\SysWOW64\WGICD.exe.bat

Filesize
74B

MD5
fd8cde01d8f04732db3282886cc6787b

SHA1
117b420580b98dd44d6815239fb46c5fe28feaf5

SHA256
7b80b60d4e34e71df4d339d8de611910172a30163217e4cd5c56a2463f3d5dc2

SHA512
c60960fba9b7a4e5b43208b8143933dbf1ddd92d4abe14b489ab3c20e5c26d7f2996fd31d1b54b5352796a214695ebb0ed4a0f7a9490decec166925fe5514585

Download Submit
C:\Windows\SysWOW64\WPBSZ.exe.bat

Filesize
74B

MD5
4fda2bca7c4246e1e13d9c1825e63589

SHA1
120fc1d50d35a783f8674c2d130ea241cb3b23bf

SHA256
0e70cd074ffd726e3aa7046a8965dc3ea069b6dd5841f7f380b2a2a656963477

SHA512
f8e30d1fd65e14545583e5a1bad39a0dff31d5a2aeb28352e1b99c10e8dd027e551216e11501bc052ecc6132f901218e5c591f82861f9aa232ec7e78e68e4f86

Download Submit
C:\Windows\SysWOW64\WRV.exe.bat

Filesize
70B

MD5
fdd664649aa11eba6099dd9e2fdd15aa

SHA1
958c98663a4045551a97e5062f2ac010a9acf005

SHA256
527fa49452d3ba59d46beed5baae493ed45b51072c8c07dbdeff3f6862a7795b

SHA512
08339b20a102298869160da26fd2b7f69c36de221f4084a10c175c4212d8722e0b8f0f0f5760c48c57c36798d9e9841457dc6ce69811f0011a2f80167d082259

Download Submit
C:\Windows\SysWOW64\WWVDQ.exe.bat

Filesize
74B

MD5
2b101f563e1fae6b6c37b0ce04553e97

SHA1
dbafc064b9e42276fc13859b2b8d32fe3d73c861

SHA256
3e7a77d2ae0bc1a7ff96c30da72a958c9a83a81e9267591c7acd878083bd5bc5

SHA512
e7ff5a48004ce5979a39ad84e3174f811562c3ce2a9da5f305374ba56cf0df33caa60e96f1f36c908371c3cc2c20bc72ba8096d674c2d0626fae9c3e14d5da04

Download Submit
C:\Windows\SysWOW64\XQI.exe.bat

Filesize
70B

MD5
ff0df52c6f08327ea33c4fa9b7dda2bd

SHA1
abc391f09620bfde543bb1099756bfe19d54adcf

SHA256
dd9c2653cc4dcdfcdd94382f75c33e02c9624da46de124ab95dbe8548face89a

SHA512
4045a1f555b85d112fd03ee8ce36756bec177f720af6e61c880905b813eb3f02b0ef3e9ae219f9808d3cb7a3f7978309f666fbb122b8338ee03aa1a739aa5cc8

Download Submit
C:\Windows\SysWOW64\YDDR.exe.bat

Filesize
72B

MD5
2257c691d27360677e50cfeda9014409

SHA1
a9850ef681f5d61d395173863bb2a65b1dde2f00

SHA256
85daff16ce7a3f8f05d2ee3a6f6d1c5bca17104e18ca290b02572b5256cf4363

SHA512
0213cf7a39c03642c7b5da3ee65bf34e05d1c91c5e1e22f4441eb0c0c2ed429eb38045ba8a0e13cbfd70332f2361f6057efcdf324ffd958be9a02628009365a6

Download Submit
C:\Windows\SysWOW64\ZTANR.exe.bat

Filesize
74B

MD5
76a7eb68a5b4213fe54b15281cbfef31

SHA1
911cd72b2716da688fe549ccb1133dba71b851da

SHA256
4dabdce938311010ec95ad3fba79eb1e97fe6e01b8408c862e2269610329e2e4

SHA512
74b5d096a5839ee84f3c0e6a4f5c65ddb78fc8d205094621edd9c1c2d338fa3468250432fcd9dea33253ae1206f7020a4e024ef278e921f3a58826023afbb143

Download Submit
C:\Windows\TBVPW.exe.bat

Filesize
56B

MD5
c88417a8ab44edca762a9a957519be0d

SHA1
95a8cd18315d3a156fca05011336cc1c082ac01d

SHA256
d4d4f5eef1820b0f9155b6986fe69a5ed83412da33452e0b5bd2c5af3a1d2420

SHA512
45dfc32a65415aef9bfd1175359f78088b45685ce01af4e6500629806baef890e08c04d64bfd3611fe5ba5aed34b9b5b34beb652bec0c0a573b403cfb182eff1

Download Submit
C:\Windows\THPDX.exe.bat

Filesize
56B

MD5
2b01266b3766d836722e772cbf0dc47b

SHA1
6ba47c9d7b610ce3ea9de575321ac6348354c98c

SHA256
894405755ee62fc57fca3fd8b53d7b7f2351571214bfca7e64ec6e1c5fcc2fbb

SHA512
e18b3633bbbf4e82993113cefad5da2523a3c2beb93636ed5fd32f6e7f4e99af7c0174a275b6831553749a7178445d16a78f0431edb4e2ad25a12f187c410531

Download Submit
C:\Windows\TMHS.exe.bat

Filesize
54B

MD5
28611fb406e5773b865637dd2bf8ba6a

SHA1
09900730d55d4e491d078139b141a49809434c7d

SHA256
0f3d0d397d21d199c0aeec7d59ad5b1be93f2db1e90a80a66cb9da32c55ab8e6

SHA512
d58bf5e75ecc3db6f6c231a2102968c505fc1ad6d7e7720cffd50a42db33fdd9f00858abef061de94e0371745c60c5655f4fed07d4a4e4844bbc3ed23391f8e6

Download Submit
C:\Windows\UFMEX.exe.bat

Filesize
56B

MD5
83114c78973c9eb46b9fcba7a7c9c1e9

SHA1
b24a297edd723b2973819f740da2d9f83467f4dd

SHA256
e3b52d8724c180c29708a6eddff418212e7f25f5951d943b77a15983b8197b82

SHA512
a678f068aeb6a99718804ba696433adcd2fa61a5261b54eb7747a89cc86a68c5c655a5b36daedfd3004f276a66bcd3bf7182ef9b718ab6d20547576562ad3f9f

Download Submit
C:\Windows\UPPPFVZ.exe.bat

Filesize
60B

MD5
63dae27f2ef5abd74fafae338f29315e

SHA1
72667f933e30e56237fa14fceea8797adf6f81d2

SHA256
1d03b2efcc2d522029fab66029d82f4c55995e5751ed83da26e7cf24146aaeb6

SHA512
8d771c942f0ab70993b3bd7bf31bad1972428db09b7f558cfdc37d8b1d0afca30bdfbe138b0afb5a5aa3b96aa6dc7bca54d870308cdd109382208937b0b7c797

Download Submit
C:\Windows\VXKCOT.exe

Filesize
208KB

MD5
e065998e0524888fc281246afcd36c76

SHA1
ab9fa02e8261fa62357d3f2420bf71f826d5862f

SHA256
b52db56b81a6e422751cf259d907346897bdf946e97b9acc149fbc8bee1e9cb1

SHA512
9e651208385c7d568cb4397f92a549210df232e2f285a6788538621ede6dbb0bf8e447db0afb8aef7205a841119042ff2399f530a1bce5bf84b555800e5d6992

Download Submit
C:\Windows\VXKCOT.exe.bat

Filesize
58B

MD5
adaab2ff847bea17391bf312a6c2bcbf

SHA1
3e762922e9141f3b68ed6bd2675a81d62a2e671f

SHA256
bfc989aca7f22d0199d22bfa4b89bf4df3c13e7c77a82052887f7f1dd40ca451

SHA512
b214f8c840cd9d45fba595fcc281614b547ecf6b7a67e7c40f3c90d848699d1a5f503560410ee7b607493c0ae6db6ac476615f49e7d9b3d53e70c5d07208e12b

Download Submit
C:\Windows\WDGGQTB.exe.bat

Filesize
60B

MD5
7573513661193bd74bc5a60e6b5039e4

SHA1
aa5793a2f2a077a8b1439b54e8474247a96cdcee

SHA256
f045d55f15d3348745dfe1cc7b30ddb73fdd49d6d0d29b5c92218bc4ed5e378b

SHA512
77a304126ad978e581b4166c245260e0478ccb3a94a285546436b4dbaa13944f33f1b1375d8a4f634a1bb7e3e1ebe1e1f3e9a34242ef67bff9b03ee16a280b45

Download Submit
C:\Windows\WFIHB.exe.bat

Filesize
56B

MD5
e0dd06b3bae70ab0b3d42de7c0a8e3c9

SHA1
2f69adfaaaba9a83e025a477f79c7347010194e2

SHA256
085fbc4d9f6bde1763e4431590d9d25f79e5c8ee7aef61c3eb5420b68bc6d65e

SHA512
91c99861b61161d0ad6fff919116caafafc186d08e55c1c20fc9f7d180f772b277d1139cf6de69bd4ccb4b7c99b96cf18f63f5f5fb82d8bdddb39140def2082f

Download Submit
C:\Windows\WVCZ.exe.bat

Filesize
54B

MD5
684bf0102c6105596d987b2b3ef6a7b8

SHA1
991eddcc9961d8ae83600efa78250db6124caedd

SHA256
91a619d628b69d43024816e126cab6d5dc12052b07bc6f6b152c5349d095b977

SHA512
1501a17f5a76f7d1a592b93bda36fc5d9390a03e410470efac7baef31b751bdd9af5b8d74d486fa0f85c6db4a01059ddd15374894df687dc950055cb580ca186

Download Submit
C:\Windows\XIVGJ.exe.bat

Filesize
56B

MD5
2b687bae665e6a4f39595e2c3153b0c5

SHA1
2acaf7f9eac4c5e0b30d29470d8a9b348389e58a

SHA256
1ff7122233acedd61f5f2f748b1e29a07f950fdb630c2152b1d12c683c5f2c81

SHA512
71a685e7a87680129eabfb70506aeee0ba782359a0a2e2389239b4504627d302113f0a0e3cc2524a3a26a4310e339d80ce9a74ee16eaab0f190835efa7dbfd04

Download Submit
C:\Windows\YEI.exe.bat

Filesize
52B

MD5
cb10d6c3252cf54e9e8533b770f3872b

SHA1
dd56cf39d1fde5005b9e842cf69a8113c5aa47e9

SHA256
2a984c83bd565b4dd9a4babf5061216e7f262e00860f0e3ad8b1810dfe05e119

SHA512
b5acb68b1dd7f033580a3dc9a8501a2815f43989075ee9303342a81f5a8750f0ee1387fd4a6e34d5ad11ec37cd400a2c9e7beb99b2abe17ec1ee9e63474566ed

Download Submit
C:\Windows\ZRTXW.exe.bat

Filesize
56B

MD5
676ab0855e3ee4e70566a3a045ad7b6e

SHA1
e4d9ec449baaec200b40e8e41672fcc789aed6c0

SHA256
8338b521105cce4a506c36112b0a85ce09ae35c083024eb27ee6df4e1d91acbb

SHA512
4284ff31b514cd5d3f8ab50837ac96306dada62c93f61eb94a30f55638f4576b9930c2aea6b458fb9e46abd26ec0b011333a5d5464514632dd97b636969c675f

Download Submit
C:\Windows\ZZSGPQU.exe.bat

Filesize
60B

MD5
8c0a8e726fa1503df68f367bf6291770

SHA1
6f60e3836126e0cc9d3a4a93ddd88c8732320af8

SHA256
3aa1cd0c1d415799c7fc2ffec3b448e169ab4d43407669a9a264026e204f43d2

SHA512
1f3874514900aeb0769a25e46eb73f8129ce641f48bb84d7b1430f05c6a1bc4f82b1a4ff780850b9ec43efee0f9f9559003e732d14f42127294ee322207db26a

Download Submit
C:\Windows\system\ALD.exe.bat

Filesize
66B

MD5
d3bd2e0229e309ed0175c1d3e3a0d9ff

SHA1
76fc50f9b3b4e697239d48b637a70c0f8d1fb010

SHA256
31506a8fcbbb6d6736906e20e322805d9d71eff6354c2afecbf604d5dafd91b5

SHA512
377e53a39460e074b6048d95b9735992d4057a7b15fbe53745db29af750be15f91f4d4205f82e6a36b6f6f9de86a4ad41c8ca4c6b1119a967b5a03b5d1d9b122

Download Submit
C:\Windows\system\ALO.exe.bat

Filesize
66B

MD5
b69baeb4eb84c7f474d11cb9056cefce

SHA1
0841696247b880ecc80fbd58d62a876cb56213b5

SHA256
f1e1aa8c0fb533336277a5cbdde39cfafd21b917f46423618db83c711b7f19ba

SHA512
18c03b3e019a70ce89c6142c815517772f96360910fa8238c42dbd66750f6dcbcce5e5488a1136b7c08e6155f04d640a9b3358ff9f6953f582163b25030870e2

Download Submit
C:\Windows\system\AYRKR.exe.bat

Filesize
70B

MD5
56d3ac31910ce0c4faec49ddca07f96b

SHA1
b1189874bd40491e928a05023220a69931495b58

SHA256
07260a41e992bd251c8e5490d5d666aa80339ef1baabae910b356a8859cb1aed

SHA512
bb91051a9ab3a6583f48a487158fecb85736d516ab409263485fb5ffef0ead55dfb5472721127cdae68e534ed6c318f42d4e4f143084bcba5b9794cce5ab38ee

Download Submit
C:\Windows\system\BAXAZI.exe.bat

Filesize
72B

MD5
cfd0090552b96de648881a83f126b45b

SHA1
bc2ee498e8b6a59254395a693aceedb9a72450f9

SHA256
2c01c410502dde0d27daed2ae9f2a6e3aa1685fd1f4291ced6eb9ac4a39ce22c

SHA512
98bc2bf1232b60c16a3c1f6c451a4bc15c7a1027e930a663d90db4c09c4ebed2d3337532d48f0487c43dbc7409e1390b66f9023db30c1408e077ad8d23ca7616

Download Submit
C:\Windows\system\BLNJFO.exe.bat

Filesize
72B

MD5
229beeb6a231f80fb0d3f63e72d5dbc8

SHA1
5148efe93f212dfd8a300fb7152576551311faa4

SHA256
23dda60e11d4e2b54bf2d37f0f2e9bc35947cdd7a0f8807808c99238b004e470

SHA512
a57c7dceeff079fd168b5c3a93d3bf715df2849c43ee5c2eb452a03dafa6df6eb0ee58dcc144d7ee5183b1bf8686adb95636d53e4a521de1fab4002be65dc10c

Download Submit
C:\Windows\system\CXOAKV.exe.bat

Filesize
72B

MD5
4e47bd91c8eea9619a59037fa3331a54

SHA1
b6ab2206f5f00aa4a0acdaf0e0254aa4c7f3793e

SHA256
0438ec54a51ce35aff9f943d69e41322f13633557b7d0403c3e64168acb52b33

SHA512
caa6fba1cbfbbf7c293355d8aed14a66b3019b84a3d970210fa7084308af2cfab390a08857e480f40a11bdd18c29bfa614de74b0de506f0d3809f66fc0c124cb

Download Submit
C:\Windows\system\EAYHFN.exe.bat

Filesize
72B

MD5
ab7771eca1ae1f1d4d68e02dc8309734

SHA1
fc2559f41a697a04b1f9860f2d83a58db5c10feb

SHA256
ea5f4b72675257ec3c60b1afbc8734d5b446369e12c67a3fdcf4e5946ad38db1

SHA512
5d6b2e611639d8eefcd1a49615d4f709605c9f27c877a2f46420184da1eb14672f200679432bb37f9ac4916253cf46d7d46d79ed9ca4a31c0a1c053d846b85cd

Download Submit
C:\Windows\system\EDIC.exe.bat

Filesize
68B

MD5
bfe9741b6b8514399ddd4b0745720fef

SHA1
9b122f6584a2ec6d1bf39505e793e413b61404f8

SHA256
230f712d21aab0feeee5470a01ce91c071606312c23768a32ba4b07f29e767db

SHA512
f985328697aae33cfb288e8158b01ec7358b5152a3339dcd3f2e1febb992100af3d2213ef4e6b75366dede396a5043a63a9f6fae1c93dffb0b16f0aba9e27ca5

Download Submit
C:\Windows\system\FSOISHU.exe.bat

Filesize
74B

MD5
ce209ccd84c769591122cd455135771f

SHA1
52e65b5e0b6045c67b2ecce47cf630654b71e41b

SHA256
68dff3f79efa14a9edf6c34fbf8a49c05a704f348ce2824b6b39c5eb376fa907

SHA512
bceba50e6fb93ef9dd7a4ec69c31c740ba10a2016a02c7bf13ac909e16bdde4d5537d6da78b1fe46cb2b02b1c5c2c146dd6701141c262e5acfa7fa36df5b7401

Download Submit
C:\Windows\system\GFW.exe.bat

Filesize
66B

MD5
90dad947e6a6fbb17ba6f5aa784690cf

SHA1
f287f9e3f725723a13fd362ee47d899e490d912c

SHA256
4bc857827e3256df120eaf1a5c44097718da129433aa40ba012959cc22139721

SHA512
977f419d3d4f4f5009009d1224942ec81414a1ee1eb69f5430c3924675da28b8c2d61d132cedeaff7b1f071351c2d893d7b6be5cbe361c50beccd48c72a2f709

Download Submit
C:\Windows\system\GMV.exe.bat

Filesize
66B

MD5
aaf0de711434e4aed3e0c1eee528ba42

SHA1
963475a99f1297b78caa3a266ebbe3914d955f27

SHA256
3ec55e3a3dfca2d38e5f7921c70a302f602f69728213b89420004023ef47de63

SHA512
97b7796274e462fc0df2b529ea36c36cae0066de091e0f27456fdd453fe1b2297c7cb3f138e93396a12a7855f77cdc09af472328bbe6f7b9eca8421c8efb065b

Download Submit
C:\Windows\system\HEWS.exe.bat

Filesize
68B

MD5
35c45b44ab9b0b0c0bc3f6e95d569b82

SHA1
30ede3228d1948abc6e84080c889e0b05206899c

SHA256
504275e9a017222870bf0970a83ff23779ee0b9dd0d65e4560fa7f8893db742d

SHA512
602b2bc61016fafebb21237d17db35eef17e7c0f8589807b9791ed71e795020096d9993aa983c8a6d5dcb56343498d9c26562eabae3795c89b9ca37aec0a9e9f

Download Submit
C:\Windows\system\HFNBFXG.exe.bat

Filesize
74B

MD5
e99b7d02f7d370eace4702f1ccd7a3d9

SHA1
49dc88113e9f8177bcdb91d14dbbdc23997c7794

SHA256
750b07cb78d095fbd4f64e083d7328df2435524fd498f8641da29ca66237f235

SHA512
08f389bd26efd9095b4be24adb58101f040df0b4eecf67dc74fdd6397c1777d2c0f04ccf1f2aa30884277d49debf88d30e4b9d78d8237c72046bd95207e1ab3c

Download Submit
C:\Windows\system\IOPMHD.exe.bat

Filesize
72B

MD5
e3fa2c29ce2b876d15fe35020dcb0920

SHA1
fcfce759ac382530097ab22c633ec4fdd06695af

SHA256
238727e20a75d49480d24c27e736f7228ae2c5c4fef3f2e57c2bea238acd7a13

SHA512
6475bc9fde8a22d1404ec7bac5021cdfc73217f688d2b149250111e01c2703ab608a5607dac143448cb668fb2bf7675b4a2eb8e613f2d2977feb212598c0bfda

Download Submit
C:\Windows\system\JHEKRW.exe.bat

Filesize
72B

MD5
b7792211f42962ebf5696b562a85b07a

SHA1
f40a0891e2d9f8f303447c363c85e8b9f287adaf

SHA256
280e5d06b7321dc52da974e7dbad5d04d816f71fba712ae306f5a6cafc1d859c

SHA512
9fa1bdcd1118f9138e36d0469576878a3de3e6b0fb29565ad6338a246e1bcd89d1ca1e59e5d3611a84cdff392be1cbdc86c236d481b893b87891e1ab3991df82

Download Submit
C:\Windows\system\JLGMSQ.exe.bat

Filesize
72B

MD5
3b450fc3f7a57258d49efb868d539600

SHA1
89e4bd80df48bf00b7afda4390e336fb9d72a0d3

SHA256
0f292e9df56cc0a12d6eb3d501a6a91120705f4c639a8df82a23ee37a6850378

SHA512
7a1eed142277d747b8409fa3bf972f34fa1bcf74a2dd0d1b490bd04b5d0e063866a38f3814287c3eeff6245a9a943a61ff2b1f23cfe59a9c83cb616617f68f14

Download Submit
C:\Windows\system\LQMD.exe.bat

Filesize
68B

MD5
e0945b7d94a5a6ae6034136d49847d91

SHA1
827115dca9148682f0e48dcdc6c635acdfab4454

SHA256
7b2e0aa79f9175eac8ac50ac86e3cf07484fe48f64c906a4e0bd1b84c7d2c9dc

SHA512
218a224ff7fc37270f8c202c2dd3933c0bfeec87a3901b7106b03c9ecb2b640109752e587afe9c0e8cf4a54d4a52d3c77f255b6b3304091dd25c659f4e68b97f

Download Submit
C:\Windows\system\LTTBU.exe.bat

Filesize
70B

MD5
2aab76c8e53ecbcc0c5a7a3741d625dd

SHA1
a9f2aec54a9a7c5628c3f771615d7f09f1a55c60

SHA256
d83318b5369cb819d852730ef2762ce8f9e9ff694217516ac1e06b4d737bf72b

SHA512
901007dd6cdb3bbe2740a48cc389963d79aa027bf65f544f3625466e5c5f030fe88093af0161bdbdbbaaebb9d400f5e40af4a04814db653ba8055918eb310d72

Download Submit
C:\Windows\system\LVV.exe.bat

Filesize
66B

MD5
4caed54f1c2ae1de0e23189abc1b35d3

SHA1
5c9ccb70751f14dadc3a4cc3a519699124c3083b

SHA256
45c53734ab84fc8992dddaac19ca44db55138c9509e5cb60c7fb96b88482993e

SHA512
a8b75fcad2987ee1b57d0cd3a827e8de7f999a9c0fb4a8e42912607601c36a20a933cd53582350c60cfe78642d78e21fc8f5ef39a528f0d1c3589707e633afac

Download Submit
C:\Windows\system\MEG.exe.bat

Filesize
66B

MD5
fc265a581085c546c48dd26c359713e8

SHA1
83610f42aea951cab8fc6bdd5c1472e94ed53935

SHA256
19bfcb019ffc0d4211d4976007efffe8377d6034d57d8fb718cad429fe069ee8

SHA512
f13200fbe83542283d86478c4bb2dcc70c1c0735a822b115aa3def3289470457a5e4392d7dff806f2b644512e13dc34e3281775de7c3f75e1196d31f5eb05a4c

Download Submit
C:\Windows\system\MXB.exe.bat

Filesize
66B

MD5
c31b9798eae3b1abb304d40316053d88

SHA1
e43d9840abbff03a28dc8895b57b39f2672b8b2d

SHA256
a834a5f47bdbf8b6edbaacf0544440a9782dcc3927ac7290d7db252dba4c9fdf

SHA512
308d43e98a3babb10fae6d70ebde17c64f28a02ff0f548408c41004ae8d27d6a71752073f87122d1eb63bf86eb08ca480ee3d5cdfc01b53c868387a7f2dd96ec

Download Submit
C:\Windows\system\OCS.exe.bat

Filesize
66B

MD5
a2573e9a7fe5fdf0dd23ffdd0fc8a746

SHA1
c600520fc04ed1cc05d3e53be18a3267325d5f5f

SHA256
fa097fb31e249a52e49ac211dd5a27f0764c8077d363aef1f27eb4466200f68f

SHA512
c72feb4488bfcb01367db1881a2026977e30be26874da4a534e79e295f721a2e517ad4b5ebf46abe39d83d46007c894a981374a0460abc9489a0652831925d13

Download Submit
C:\Windows\system\RAERCS.exe.bat

Filesize
72B

MD5
a99f2bf513de37c49c5bbf5ae5c416fe

SHA1
89194384a8a158423e937275b72d4ebd87f8d191

SHA256
577b6f57da332b9f64e8d0c91c9e12bb82cc7cb658c822668f05ec6ff4e114ea

SHA512
1e1804dc45a645218f3c3f2e0d76abc35d9f8464173d77246efcd5df76141f8e7a47563be953484be6e7af6f3169bdfeceee8f8bfd6c15212e43e4e83858cfeb

Download Submit
C:\Windows\system\SNUPBRC.exe.bat

Filesize
74B

MD5
89047c9ba4c652e8545fda187e30af28

SHA1
0d206cffa9d49cd8ee3f0275329fd73a25614e40

SHA256
5b1846da7cb5eb656b92276668268ec7043cd142bde369974b62f4883b602f89

SHA512
55d3c2d00032f3df6b8043fb3bbb2664d5592808c2fac7ecf0d466adbcd5065dbab5a597baa4902289dc3dd289984036e05701971ff8e1ba2570a5a92a10bed6

Download Submit
C:\Windows\system\SQH.exe.bat

Filesize
66B

MD5
beaf369baa47acbdbc804d771f74e695

SHA1
6bd942b189e6d768748dd85ef816df9cc8e4878f

SHA256
3c573039a0b028e9e8b6b8d50f64e24480265833e3e6e48da1eb7cf08d9d2ba2

SHA512
c71d975277ef0cbb34db21a060ef539276aa47395affc7b09e2a71ec0dbfaba63186ebd8bf11a222ed029dbbe3b2247c856cadcc108079642c19d157f5b3ac32

Download Submit
C:\Windows\system\SXNJ.exe.bat

Filesize
68B

MD5
bf4882e6216ea3ab3b91eb44019be977

SHA1
47b88b895d346c4ce4958b33feba5a7a8194d547

SHA256
a26b79648feaf6786375ea0f0693332f3c67bc644a950ad6d6b133b795932cf6

SHA512
b472a3a3b76c6f96d88c630d8608fabe1909b8c6a071502693f011274c3a0bccc9c7a5b79a19001c88fb31ad6fb8f852fbe55a0cb918cded15d4b9e366257282

Download Submit
C:\Windows\system\UYXXY.exe.bat

Filesize
70B

MD5
3398efdb79db2bb3499b5aadea887cac

SHA1
f25868288d13d6dc59abfd074b382efaa0a97387

SHA256
b3e2be10a135b7dd0926200f4f42d306b98504f4fcfbe0ee6921b86a645fab28

SHA512
35fcb090a3c69055522f204ed37bcbe6f2aee521b97584957b29284e31452bb4780f7627455c2359ae8f71e6c8ab3f9904de282b10c4763734358f2091d2f82d

Download Submit
C:\Windows\system\VBZEFUX.exe.bat

Filesize
74B

MD5
44ffabe5001c343c8e129544a7097291

SHA1
8325e817e8ac71e683c8fa82545a1a4bfb59be49

SHA256
f86d986aec41322fef7e4c2e129b31f19ee45af580910e53855454260289f97d

SHA512
e1652da9e5095c6cb949ac1c539111711f18d59999057c3d1031dca8c4f18e37e6a6112fae7f43af3a354bac4fe6a4bdb03e0750d094f9164eef6b07e50746ba

Download Submit
C:\Windows\system\VGO.exe.bat

Filesize
66B

MD5
865ee3cb46c18aba79531c345488e851

SHA1
e866e19ef309d0c7fa7ad0bf832452440c3b0fb6

SHA256
9b398c1c900728d86cad02389798cca78af5d3c135beb20827a072de24b4525b

SHA512
8a86f159f8c4c70d1a7541f1c78089a8fa11c634f92651309e1dc44efb98685aed8cc704036df37e4e87b18ae4ba8817c4ea1c484eed1b8082355f8c08a36022

Download Submit
C:\Windows\system\VPRJVL.exe.bat

Filesize
72B

MD5
d6f4b92f319c27821944e16c896da14b

SHA1
7740449aa8ab4739599ccf687b9ecaa52b5d7130

SHA256
61e3e949652e2977652b2265f3b7bc684a7a9c5d80cd238611477d95a397f481

SHA512
4101c5a99be14cac843b37f006a920c4602c5d33191e8ac1f07e5a09f177632483af3f0f9a8ebb0c016e10f700bcccbd8ac151b00fc05cf70fe1cd4110aacbc2

Download Submit
C:\Windows\system\VZSL.exe.bat

Filesize
68B

MD5
d7d0870b62f94f65e15612df8a6e569a

SHA1
c43064bbaad9b9b8b2525e6301ba1a5020935879

SHA256
f7b0515ff1183e301c8da855314d66ddc0897528b7f3b93f45b7b05c01d307ab

SHA512
b0564ea5631233a57d879dc337ffd388012d65e31a019f557be64e1227f41bd4b530d05680c32082c69fb6b9f8f0e80c17c5d769d5058aa3ed3df06e279fa0f1

Download Submit
C:\Windows\system\WMJ.exe.bat

Filesize
66B

MD5
f4dee1f90628fcea48a8d5ee01e7bb7a

SHA1
1b4e6b41813672782968010a82bfe7278f6e974b

SHA256
d8deccc5c75350b79d9548bb7ef287003a0cd7b3c17a7d963d758d0c2c6b09cd

SHA512
6d9c107c48b1a5c130f20c3bcd79458fd1283b61613456fc4b99a9a1210a1096229a6e59ade297cac4ec0d5b6dcab61d93dffebfa0f3ac1bae0b1bd18b3381ca

Download Submit
C:\Windows\system\WZSBVTT.exe.bat

Filesize
74B

MD5
953e14dc834172af86508fd91cd81d4b

SHA1
75e2ea8c1518e197b8e007d73d7ad0d047c1ca2e

SHA256
aae2deedbc8dc975096799b62afe2320f113223527d03e525750bca432aade49

SHA512
b29000ac47f5728357288b44f77988a993dbf9f4f74e4c8941fb93c41ac6e44839eb09daed6a67a92806e6387d7c755f4ab3dc153c02622efb4bf914ac079de0

Download Submit
C:\Windows\system\XDE.exe.bat

Filesize
66B

MD5
b448d90023eaaa36e45f16e4f2476aa2

SHA1
fe8e8731a7f1ff4b010f201ac7905e5ca7cd5a46

SHA256
732a36940811b0ddeb006273eb7895e290e3e3dcf3e51d0b7e0d441a1d742ab2

SHA512
e83da6e088f037bda58c20fb8d1ad61bcfce961d56a176fd4e78ef476a0a3d7a593b38cc95f34d6f22a2abfdaae9d49bb2abad3a30849bdf670cc0d142e35a4c

Download Submit
C:\Windows\system\XWXFLLX.exe.bat

Filesize
74B

MD5
8e0111fe9122cad8f0646a94c4ebb93d

SHA1
3d4c542cb31818b730351cd7ba95c99e742f53d6

SHA256
78c3f31fff49f8f32cc598fe9712c72f113b71fc0a4008570f2490fb5fabd2f4

SHA512
7f9b4614b2851039a06b317adfb2fad141cceba0b809583697d19e446fd0465d7266a4f6f9532ce128c3c09f2115cf82ba422a760aef18c79968fffd82d2030a

Download Submit
C:\Windows\system\YOMFOW.exe.bat

Filesize
72B

MD5
bdea660474588bf390997634a7dc48bc

SHA1
9b3d15f900e618787aaa8544231beaedccb1662c

SHA256
6bb1c05ccea2a267887d7a051b6f6e277c31c1af932b9e1d098faeb456c258c0

SHA512
e592be434252cb730697dd9089d8aa087e0e53bc5d25347e35e0e5c406628aee0a5c7f38eea01ff204d9be1037a0c4cd7975e8c20e827351636e1ea30e943eb2

Download Submit
C:\Windows\system\ZVJNZMQ.exe.bat

Filesize
74B

MD5
e3d5934e382bb57678a3d7b51ddb84bb

SHA1
10bd7680936155ae847bd392fb13d45b9ac84df0

SHA256
555d12025e42e9724db23189a464d9b3d504c980023e42521f87bbbc384b51a9

SHA512
ce1e1a2cca8868b12a9fbb614c245f1843e9fd23a2362f024b65e53ae86c351db1ec438dce93980bba1768fbef84599d323c7e01739ce4bf15f9db7a4fe9f58a

Download Submit
C:\windows\FSJTIVL.exe

Filesize
208KB

MD5
e71730e9621bde92dcb271c24b2a2934

SHA1
ec07f44d26dd5553a2445c084326cd8a2d94c19b

SHA256
4909879ce548b064a430c5becc29e686d755708daf5acd03d217a3461f4c43aa

SHA512
426b7f7244c216501e27eca9f21ed6553f17161578332f61c2f496b1f8e5254a05db732519bb1adcb921aa252367ff3893cddd6fc075cf116b57c3d93fc31a80

Download Submit
C:\windows\IVLWDAH.exe

Filesize
208KB

MD5
1f731fe73fb974cd186a5b60973e5a75

SHA1
653b323908cc3e0b12769df493aff38cc9e2f3f4

SHA256
959cd8c679a9266e140a5772687d7ef21e32d5da48d5d1aefb9430b230b9f59a

SHA512
c7387254f25213edc3df9e21c209238d832d4819d33f01d4f7fa66d9e24d9c154c9a3a291d48d23428c14f3c3528417111fee1b5bdeb76699fe17bb47a3bb86a

Download Submit
C:\windows\LDXTTA.exe

Filesize
208KB

MD5
5b1bf038040334afc63bee561c6fe80d

SHA1
f77a6b68d6b152a6bc9a0f4b9eb2d43b6e8e51b4

SHA256
9915efb18b99997d0b86f3645f800625505b78dec393300143a0a53dd6391507

SHA512
48bae934f5322362c1080cbbc0eb0df3bdd05a6b99402e69e82d22cc59be0c01615f15424ac6e58fb9d614f20417330942745856dd57e0408e3f1e707dae2d1a

Download Submit
C:\windows\MVBX.exe

Filesize
208KB

MD5
4da7cc1056e6bd27a4c6c89e0e1bc637

SHA1
6355f34c22ac243af0171eb7bc33fc0bb19a56b9

SHA256
6bc498f296cc0536c814501911549a8a5e84e18a720803f49f158babb3abb9b6

SHA512
6d0a9f3e47501335aabc38bc08a5b8dd63bdde94c6677ef8abeefdb1c73cffcc123d1d7df36a7a6b988dd58ba94daad12ee1e20775d4b390a35f666c209a301c

Download Submit
C:\windows\SysWOW64\MFEQGVV.exe

Filesize
208KB

MD5
deb7125353e5fef7c2f8aaac062022d1

SHA1
bef82588ffd616883934bc350f2344f08885c5b3

SHA256
134810c44456239e1561f0adfc7a17aa1809d5db277c70d44cd50f0662ac2493

SHA512
44d2d0159c60279ec590c1fc287de369ec935e5253722b25cbf76dc35270e06f6e16ffc7322562696f0810a609f66ea7c02cf6b8eddbaf90a2996194ed6a4f02

Download Submit
C:\windows\SysWOW64\QKAL.exe

Filesize
208KB

MD5
813e0faf36a5bec5d87f3819caf71bf1

SHA1
8d6105450445485cf03d99dd1ea271da2d0f2c01

SHA256
0d40a27de1810bf64f7df32cf0899e831ac8944d7dd5b17eaa26a6846f0933bd

SHA512
d7888528f9028f6cd957d30806069f219d6795062462fec3be7a3923bc1ac0cc93170ab7a7621d32a0e0806104d159c985b75277d3c66296b539acdeeeb7d7d2

Download Submit
C:\windows\SysWOW64\YDDR.exe

Filesize
208KB

MD5
c4a5552fa358c33348fd4ddde16fd84e

SHA1
e1a3eb639d004e758ae4a26a54e7914115a92e22

SHA256
84f4377e56c412f2e11d824257f2ef9c164d10d7dd4301df7b72b53631ab848f

SHA512
ed749a7b42fe0bfe23cf8ca0632763025897fd99647bcfc953a958982c7d1629b1db1cd9a436365bde4a6b063253dbb27c6570872439311d0d10c8a7f6a6c4ac

Download Submit
C:\windows\ZRTXW.exe

Filesize
208KB

MD5
a3ab0cf321deae9ec95df2c8a19b2455

SHA1
186b4126cafb12a9aa6505a468fc898674c1a22f

SHA256
202424747da94a1b7cc9f8063c1abe06616da6c411e6a84796c35915bb474c78

SHA512
31d1a2a9df7f2d713e6974c9d8d56e353e734a611913125d3cc331fd55d3cd51a0664ab430e15bb93e3d480d2807220d2167fc7fb3ec89a061fe0de2cca77863

Download Submit
C:\windows\ZZSGPQU.exe

Filesize
208KB

MD5
406101a42cb6aa5b207d3a4d3f4b7f05

SHA1
a29f011b91fc9c4b0180ca118df9e8165602879d

SHA256
d6cca5ec9491d414b8502cfbbbec5f15b6c6fa61dcf7c82d22abfc4b7a041f54

SHA512
5bb3e91b7400c254a8756e648318eef3feae77758753ad3f9ce833d68fce042647fab5a74e3aaa7df1a4286be949179495eff95a0e7dc9a73d0b8eae495dc5e6

Download Submit
\Windows\SysWOW64\STJKQF.exe

Filesize
208KB

MD5
8c238ea897edc32a1814b13cb3869cb5

SHA1
70ed151cb1dbaeba13097358938288fcc358915d

SHA256
9049759ea36bb2e7fc55a830c8913d09e25708b02ab9d78f857b328f49a5a771

SHA512
1224b35b39d6879280af65e8d7d261990e4288f3e8c0f8f66c053204f82a5a93818d722ccdb07440d1197c7234ee4892b0546b7902308172c503b78a1b23cc5b

Download Submit
\Windows\SysWOW64\UKTFOV.exe

Filesize
208KB

MD5
2acb9f4d06c57a927fa5a2db04a1e80e

SHA1
ce2a2af1dfde2c43b7a4c87f48cbef6893de8597

SHA256
694991c9e3df1eadcba7ce0a15ee3daf8149c9776d3228ce0ad7b623066cf413

SHA512
99d9cb309fbb1e988d9ca0d25cdea3b7851c4c2e96f750106e37d49add53bc5ca9f9650c5614762a4a2a0c9c9f656f5e0cfbc9751715deb1447acb93026aa268

Download Submit
\Windows\system\JHEKRW.exe

Filesize
208KB

MD5
9cdf0a85cad75de1179a6f44ddd30275

SHA1
762aea35a85ab95c1438d29c8747d8afebfbaf93

SHA256
65577b69450000046516e41e873c5bceef4753273a5154f8bf2ecc17e2a5e9a8

SHA512
dc7963a3de57bde5521ebcf5a7ac7442fb31cb2fa56e2dedb630a7a7d057bc689a3720768268390af0606e6580a2b5774a8bc29a0b3dff896cdb50cb31d35ae6

Download Submit
\Windows\system\LVV.exe

Filesize
208KB

MD5
545f6540c3898786e02255a26e1a47be

SHA1
9b96155519920f150b2602b2fe6a632814953f68

SHA256
526c5b670e38f5e773c7b92c00dcce944a739575e331309d5f6dd8bb650f83f8

SHA512
c731a0e7019d03cb4ee629e1748d658fad10abded57bf5e73904d6451b8662c9106f813a00e9d9ed6b74b138e94189b1e8bbcc9045a855cbab80c77c241b82c5

Download Submit
memory/564-416-0x0000000000270000-0x00000000002A8000-memory.dmp

Filesize
224KB

Download
memory/672-376-0x0000000000130000-0x0000000000168000-memory.dmp

Filesize
224KB

Download
memory/672-375-0x0000000000130000-0x0000000000168000-memory.dmp

Filesize
224KB

Download
memory/760-62-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/828-172-0x0000000000300000-0x0000000000338000-memory.dmp

Filesize
224KB

Download
memory/872-429-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/872-441-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/904-209-0x0000000000170000-0x00000000001A8000-memory.dmp

Filesize
224KB

Download
memory/904-208-0x0000000000170000-0x00000000001A8000-memory.dmp

Filesize
224KB

Download
memory/912-185-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/916-65-0x0000000000170000-0x00000000001A8000-memory.dmp

Filesize
224KB

Download
memory/932-193-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/932-205-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1120-241-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1120-229-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1184-349-0x0000000000290000-0x00000000002C8000-memory.dmp

Filesize
224KB

Download
memory/1184-119-0x0000000000170000-0x00000000001A8000-memory.dmp

Filesize
224KB

Download
memory/1404-115-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1496-442-0x0000000000180000-0x00000000001B8000-memory.dmp

Filesize
224KB

Download
memory/1528-153-0x0000000000290000-0x00000000002C8000-memory.dmp

Filesize
224KB

Download
memory/1564-523-0x0000000000130000-0x0000000000168000-memory.dmp

Filesize
224KB

Download
memory/1592-211-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1592-223-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1676-150-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1676-587-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1676-138-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1700-522-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1700-510-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1772-403-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1772-415-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1884-133-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1888-562-0x0000000000130000-0x0000000000168000-memory.dmp

Filesize
224KB

Download
memory/2076-428-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2108-561-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2112-46-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2128-390-0x0000000001C30000-0x0000000001C68000-memory.dmp

Filesize
224KB

Download
memory/2164-455-0x0000000000270000-0x00000000002A8000-memory.dmp

Filesize
224KB

Download
memory/2208-467-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2228-100-0x00000000002B0000-0x00000000002E8000-memory.dmp

Filesize
224KB

Download
memory/2232-574-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2276-374-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2296-362-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2356-507-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2400-588-0x00000000004F0000-0x0000000000528000-memory.dmp

Filesize
224KB

Download
memory/2428-136-0x0000000000270000-0x00000000002A8000-memory.dmp

Filesize
224KB

Download
memory/2436-167-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2436-155-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2444-377-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2444-389-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2452-80-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2452-322-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2456-508-0x00000000001B0000-0x00000000001E8000-memory.dmp

Filesize
224KB

Download
memory/2456-509-0x00000000001B0000-0x00000000001E8000-memory.dmp

Filesize
224KB

Download
memory/2460-336-0x00000000001D0000-0x0000000000208000-memory.dmp

Filesize
224KB

Download
memory/2484-549-0x00000000002B0000-0x00000000002E8000-memory.dmp

Filesize
224KB

Download
memory/2496-575-0x0000000000130000-0x0000000000168000-memory.dmp

Filesize
224KB

Download
memory/2504-361-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2512-402-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2540-454-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2560-548-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2568-297-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2568-309-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2580-189-0x00000000002C0000-0x00000000002F8000-memory.dmp

Filesize
224KB

Download
memory/2580-191-0x00000000002C0000-0x00000000002F8000-memory.dmp

Filesize
224KB

Download
memory/2612-493-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2648-267-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2648-279-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2664-282-0x0000000000140000-0x0000000000178000-memory.dmp

Filesize
224KB

Download
memory/2672-335-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2676-49-0x0000000000360000-0x0000000000398000-memory.dmp

Filesize
224KB

Download
memory/2688-494-0x0000000000180000-0x00000000001B8000-memory.dmp

Filesize
224KB

Download
memory/2700-85-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2700-97-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2732-295-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2756-245-0x0000000000180000-0x00000000001B8000-memory.dmp

Filesize
224KB

Download
memory/2768-15-0x0000000000210000-0x0000000000248000-memory.dmp

Filesize
224KB

Download
memory/2768-16-0x0000000000210000-0x0000000000248000-memory.dmp

Filesize
224KB

Download
memory/2812-259-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2820-468-0x0000000000430000-0x0000000000468000-memory.dmp

Filesize
224KB

Download
memory/2844-296-0x0000000000210000-0x0000000000248000-memory.dmp

Filesize
224KB

Download
memory/2868-480-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2872-536-0x0000000000130000-0x0000000000168000-memory.dmp

Filesize
224KB

Download
memory/2880-265-0x0000000000450000-0x0000000000488000-memory.dmp

Filesize
224KB

Download
memory/2880-264-0x0000000000450000-0x0000000000488000-memory.dmp

Filesize
224KB

Download
memory/2884-12-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2884-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2904-348-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2944-83-0x0000000000130000-0x0000000000168000-memory.dmp

Filesize
224KB

Download
memory/2944-495-0x0000000000130000-0x0000000000168000-memory.dmp

Filesize
224KB

Download
memory/2952-33-0x0000000000130000-0x0000000000168000-memory.dmp

Filesize
224KB

Download
memory/2980-535-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2984-323-0x00000000002B0000-0x00000000002E8000-memory.dmp

Filesize
224KB

Download
memory/2992-481-0x0000000000170000-0x00000000001A8000-memory.dmp

Filesize
224KB

Download
memory/3008-310-0x0000000000340000-0x0000000000378000-memory.dmp

Filesize
224KB

Download
memory/3028-30-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3028-18-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download