berbew | 8455503a13bf1290304f2cc41b0f3bfbfa88ca7d5276d34c9e42514c270117a6

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Lqojclne.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mcifkf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Filapfbo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Koajmepf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Process not Found
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Process not Found

Berbew
Berbew is a backdoor written in C++.
backdoor berbew
Berbew family
berbew
Phorphiex family
phorphiex

Phorphiex payload 1 IoCs

resource	yara_rule
behavioral1/files/0x001900000002adf6-2068.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs

description	pid	Process	procid_target
PID 37224 created 3368	37224	Process not Found	52
PID 37224 created 3368	37224	Process not Found	52
PID 25788 created 3368	25788	Process not Found	52

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral1/files/0x001900000002ab29-134.dat	xmrig
behavioral1/files/0x001c00000002aaf9-292.dat	xmrig

Boot or Logon Autostart Execution: Active Setup 2 TTPs 10 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1FC5F3D4-64EE-4eea-A708-E350A9876BD2}	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1FC5F3D4-64EE-4eea-A708-E350A9876BD2}\stubpath = "C:\\Windows\\{1FC5F3D4-64EE-4eea-A708-E350A9876BD2}.exe"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E26B916-056F-4cd9-914F-DB7C6ABCA051}	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{015CDE89-EE49-4fd1-96CB-BABFCE2F009A}	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{302A6A52-3312-4d76-B3B2-7E383749BB9C}	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{302A6A52-3312-4d76-B3B2-7E383749BB9C}\stubpath = "C:\\Windows\\{302A6A52-3312-4d76-B3B2-7E383749BB9C}.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E26B916-056F-4cd9-914F-DB7C6ABCA051}\stubpath = "C:\\Windows\\{3E26B916-056F-4cd9-914F-DB7C6ABCA051}.exe"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B26642F2-3179-40c1-AA98-29C34AA5BF32}	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B26642F2-3179-40c1-AA98-29C34AA5BF32}\stubpath = "C:\\Windows\\{B26642F2-3179-40c1-AA98-29C34AA5BF32}.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{015CDE89-EE49-4fd1-96CB-BABFCE2F009A}\stubpath = "C:\\Windows\\{015CDE89-EE49-4fd1-96CB-BABFCE2F009A}.exe"	Process not Found

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
31496	Process not Found
21480	Process not Found
14384	Process not Found
10012	Process not Found

Downloads MZ/PE file

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x001900000002aae6-214.dat	acprotect

Executes dropped EXE 64 IoCs

pid	Process
4648	virussign.com_02086fe70be8b2f98a26c8976ebffa50.vir
4768	virussign.com_02086fe70be8b2f98a26c8976ebffa50.vir
3236	virussign.com_02430a5aa0fade970b559057312773f0.vir
1280	virussign.com_05c3078160025e055e31b207b2c9fae0.vir
4876	virussign.com_0a048f1cdb9480e46de3c80728806f10.vir
920	virussign.com_0b9d792e46792ac3ae996fab5d916810.vir
3276	virussign.com_0dd8d726d0931d83c953ba0e2abbb9a0.vir
3120	microsofthelp.exe
5092	virussign.com_116ce2a1fd49210068a0f473842d5040.vir
2284	virussign.com_176ead841fd513c687d7bb949df1b790.vir
3816	virussign.com_1c03261b3c48f6ee44730d62e5c70ec0.vir
1000	virussign.com_1c6a0eb754eb16314dc4cdfaf6297330.vir
4708	virussign.com_20bb9d6e02a7abd5ed80b5211a3f6020.vir
2860	virussign.com_26dd5367688cd475f2ff8d7ec0410230.vir
4172	virussign.com_2d9a6d9b9052b149d0f080b2f1a9f0b0.vir
3920	virussign.com_3480729f9572c299fcc9e8cd77904ca0.vir
2068	virussign.com_37c7709ab0aed9b20b56ed66a7d12100.vir
2332	virussign.com_3bb1202078a92cea11a60eb07a588940.vir
2324	virussign.com_43e1fe6e5f9bab4195ccda4978913650.vir
4112	virussign.com_48c9dc42ce81f9c3af8c82aa6517f370.vir
1020	virussign.com_5189ffb7311dfb72033379662d41ce60.vir
4924	virussign.com_5884d29c32afb422ab56a704852d5d10.vir
940	virussign.com_5d7e49a025c7561f46a4243448cd8850.vir
2604	virussign.com_5e3faf8e84b4daf17f924222348b7e40.vir
2288	virussign.com_63b60ea31621845106b84ffadd595450.vir
3060	virussign.com_69a1ca89bba5eaf5c37d957e5dfa2100.vir
3388	virussign.com_6fa46e2ce246a8b475b1e9ab31ff9a90.vir
4084	virussign.com_77c61a9112891c7e9515b8c233057ce0.vir
2036	virussign.com_7e107c53eca43a4993f3217ecdf067e0.vir
2388	virussign.com_83bcae31c2be9cfb988eb4cb5150a6a0.vir
4048	virussign.com_8909a327b78df6f1393349086fed94f0.vir
3468	virussign.com_83718ff205885ef58de7f4bd0066b8c0.vir
1272	YkpgUdx.exe
4680	nTaSbpd.exe
4864	tDgMlTj.exe
4504	dWvjqLX.exe
4840	NvcUeug.exe
2612	FB67.exe
4396	XdmrKJp.exe
4428	PWIuFCQ.exe
4296	FfxmTHa.exe
3776	cATTAQN.exe
4968	AdfpKfT.exe
4416	grsOIvi.exe
384	zplrGRr.exe
2432	xqwFlWk.exe
4824	PxRqrWb.exe
4692	vdfpMaZ.exe
3352	DbMNmnr.exe
2704	CDjlnLY.exe
2740	wauIVcS.exe
3404	qyPGCOg.exe
652	tIAoOgG.exe
1656	CSpOGBL.exe
900	hdgsUZl.exe
1856	QikCIUV.exe
2836	rIfmBSx.exe
424	NbcQWyP.exe
1972	NKuFdxP.exe
3340	jrKMTEM.exe
568	bBwzfrB.exe
2304	YKQyLic.exe
5092	jvRNQHD.exe
3028	PCQJOkz.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\microsofthelp = "C:\\Windows\\microsofthelp.exe"	virussign.com_0dd8d726d0931d83c953ba0e2abbb9a0.vir
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysnldcvmr.exe"	3247319787.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	Process not Found
File opened (read-only)	\??\P:	Process not Found
File opened (read-only)	\??\X:	Process not Found
File opened (read-only)	\??\G:	Process not Found
File opened (read-only)	\??\Y:	Process not Found
File opened (read-only)	\??\M:	Process not Found
File opened (read-only)	\??\N:	Process not Found
File opened (read-only)	\??\R:	Process not Found
File opened (read-only)	\??\P:	Process not Found
File opened (read-only)	\??\K:	Process not Found
File opened (read-only)	\??\Y:	Process not Found
File opened (read-only)	\??\A:	Process not Found
File opened (read-only)	\??\X:	Process not Found
File opened (read-only)	\??\O:	Process not Found
File opened (read-only)	\??\B:	Process not Found
File opened (read-only)	\??\V:	Process not Found
File opened (read-only)	\??\E:	Process not Found
File opened (read-only)	\??\J:	Process not Found
File opened (read-only)	\??\W:	Process not Found
File opened (read-only)	\??\A:	Process not Found
File opened (read-only)	\??\S:	Process not Found
File opened (read-only)	\??\B:	Process not Found
File opened (read-only)	\??\R:	Process not Found
File opened (read-only)	\??\T:	Process not Found
File opened (read-only)	\??\Z:	Process not Found
File opened (read-only)	\??\L:	Process not Found
File opened (read-only)	\??\Q:	Process not Found
File opened (read-only)	\??\I:	Process not Found
File opened (read-only)	\??\L:	Process not Found
File opened (read-only)	\??\O:	Process not Found
File opened (read-only)	\??\Q:	Process not Found
File opened (read-only)	\??\S:	Process not Found
File opened (read-only)	\??\I:	Process not Found
File opened (read-only)	\??\K:	Process not Found
File opened (read-only)	\??\U:	Process not Found
File opened (read-only)	\??\H:	Process not Found
File opened (read-only)	\??\J:	Process not Found
File opened (read-only)	\??\U:	Process not Found
File opened (read-only)	\??\W:	Process not Found
File opened (read-only)	\??\T:	Process not Found
File opened (read-only)	\??\V:	Process not Found
File opened (read-only)	\??\Z:	Process not Found
File opened (read-only)	\??\G:	Process not Found
File opened (read-only)	\??\H:	Process not Found
File opened (read-only)	\??\M:	Process not Found
File opened (read-only)	\??\N:	Process not Found

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Hcmhel32.dll	Iajdgcab.exe
File created	C:\Windows\SysWOW64\Mjbaohka.dll	Process not Found
File created	C:\Windows\SysWOW64\Qhekaejj.exe	Process not Found
File created	C:\Windows\SysWOW64\Lofllk32.dll	Process not Found
File created	C:\Windows\SysWOW64\Ejiiippb.exe	Process not Found
File created	C:\Windows\SysWOW64\Npbhdogo.dll	Process not Found
File opened for modification	C:\Windows\SysWOW64\Hjcllilo.exe	Process not Found
File created	C:\Windows\SysWOW64\Mapchaef.dll	Process not Found
File created	C:\Windows\SysWOW64\Ddpgfjhm.dll	Process not Found
File opened for modification	C:\Windows\SysWOW64\Idljll32.exe	Process not Found
File created	C:\Windows\SysWOW64\Jcanll32.exe	Jgkmgk32.exe
File opened for modification	C:\Windows\SysWOW64\Omopjcjp.exe	Process not Found
File created	C:\Windows\SysWOW64\Cefked32.dll	Process not Found
File opened for modification	C:\Windows\SysWOW64\Ifqoehhl.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\Nmajbnha.exe	Process not Found
File created	C:\Windows\SysWOW64\Elmmem32.dll	Process not Found
File created	C:\Windows\SysWOW64\Fjhmbihg.exe	Process not Found
File created	C:\Windows\SysWOW64\Bnblognf.dll	Process not Found
File created	C:\Windows\SysWOW64\Giofggia.exe	Process not Found
File created	C:\Windows\SysWOW64\Migcpneb.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\Lkhbko32.exe	Process not Found
File created	C:\Windows\SysWOW64\Amjbbfgo.exe	Qacameaj.exe
File created	C:\Windows\SysWOW64\Fbmohmoh.exe	Ekcgkb32.exe
File created	C:\Windows\SysWOW64\Oqmhqapg.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\Bnlfqngm.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\Bjjmfn32.exe	Process not Found
File created	C:\Windows\SysWOW64\Ipbaobme.dll	Process not Found
File created	C:\Windows\SysWOW64\Billqhgi.dll	Process not Found
File created	C:\Windows\SysWOW64\Cdpcal32.exe	Cocjiehd.exe
File created	C:\Windows\SysWOW64\Gdknpp32.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\Jnpjlajn.exe	Process not Found
File created	C:\Windows\SysWOW64\Lelmqm32.dll	Process not Found
File opened for modification	C:\Windows\SysWOW64\Nmfcok32.exe	Ngjkfd32.exe
File created	C:\Windows\SysWOW64\Ebaplnie.exe	Dglkoeio.exe
File created	C:\Windows\SysWOW64\Filapfbo.exe	Fnfmbmbi.exe
File opened for modification	C:\Windows\SysWOW64\Cohkinob.exe	Process not Found
File created	C:\Windows\SysWOW64\Digjeg32.dll	Process not Found
File created	C:\Windows\SysWOW64\Iojbpo32.exe	Ifomll32.exe
File created	C:\Windows\SysWOW64\Gbkkik32.exe	Gegkpf32.exe
File created	C:\Windows\SysWOW64\Ellpmolj.exe	Process not Found
File created	C:\Windows\SysWOW64\Pjngbdgb.dll	Process not Found
File created	C:\Windows\SysWOW64\Ekcgkb32.exe	Eiekog32.exe
File opened for modification	C:\Windows\SysWOW64\Apnndj32.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\Flmonbbp.exe	Process not Found
File created	C:\Windows\SysWOW64\Mlgpjh32.dll	Process not Found
File opened for modification	C:\Windows\SysWOW64\Dfphmp32.exe	Process not Found
File created	C:\Windows\SysWOW64\Diblgnen.dll	Process not Found
File created	C:\Windows\SysWOW64\Aknbkjfh.exe	Amjbbfgo.exe
File created	C:\Windows\SysWOW64\Leboon32.dll	Koajmepf.exe
File created	C:\Windows\SysWOW64\Lennpb32.exe	Process not Found
File created	C:\Windows\SysWOW64\Ijbbfc32.exe	Process not Found
File created	C:\Windows\SysWOW64\Omhglnhm.dll	Process not Found
File created	C:\Windows\SysWOW64\Ojqnlp32.dll	Process not Found
File opened for modification	C:\Windows\SysWOW64\Opkfjgmh.exe	Process not Found
File created	C:\Windows\SysWOW64\Lojmcdgl.exe	Lcclncbh.exe
File created	C:\Windows\SysWOW64\Amikgpcc.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\Ijedehgm.exe	Process not Found
File created	C:\Windows\SysWOW64\Pcbdcf32.exe	Process not Found
File created	C:\Windows\SysWOW64\Gccmaack.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\Mnochl32.exe	Process not Found
File created	C:\Windows\SysWOW64\Ajdbmf32.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\Hjolie32.exe	Process not Found
File created	C:\Windows\SysWOW64\Efqigigj.dll	Process not Found
File created	C:\Windows\SysWOW64\Oicimc32.dll	Process not Found

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4876 set thread context of 36084	4876	virussign.com_0a048f1cdb9480e46de3c80728806f10.vir	2163
PID 25788 set thread context of 1140	25788	Process not Found	5619
PID 25788 set thread context of 14764	25788	Process not Found	5658

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001c00000002aadb-22.dat	upx
behavioral1/files/0x001900000002aaca-145.dat	upx
behavioral1/memory/4648-146-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/4648-148-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/files/0x001900000002aad1-165.dat	upx
behavioral1/memory/920-168-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/1000-203-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/4768-237-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/920-255-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/1000-296-0x0000000000400000-0x000000000042A000-memory.dmp	upx

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System\jURkMId.exe	virussign.com_83bcae31c2be9cfb988eb4cb5150a6a0.vir
File created	C:\Windows\System\QeZSNZN.exe	virussign.com_83bcae31c2be9cfb988eb4cb5150a6a0.vir
File created	C:\Windows\System\hdrFBOa.exe	virussign.com_83bcae31c2be9cfb988eb4cb5150a6a0.vir
File created	C:\Windows\System\yhVuWTo.exe	virussign.com_83bcae31c2be9cfb988eb4cb5150a6a0.vir
File created	C:\Windows\System\NPKmqJY.exe	virussign.com_83bcae31c2be9cfb988eb4cb5150a6a0.vir
File created	C:\Windows\System\CusjwHC.exe	virussign.com_83bcae31c2be9cfb988eb4cb5150a6a0.vir
File created	C:\Windows\System\AAFIoLE.exe	virussign.com_83bcae31c2be9cfb988eb4cb5150a6a0.vir
File created	C:\Windows\System\QNPLwPn.exe	virussign.com_83bcae31c2be9cfb988eb4cb5150a6a0.vir
File created	C:\Windows\System\dTKyCjw.exe	virussign.com_83bcae31c2be9cfb988eb4cb5150a6a0.vir
File created	C:\Windows\System\jhQSoZh.exe	virussign.com_83bcae31c2be9cfb988eb4cb5150a6a0.vir
File created	C:\Windows\System\FYaIWlz.exe	virussign.com_83bcae31c2be9cfb988eb4cb5150a6a0.vir
File created	C:\Windows\System\eKzhpmX.exe	virussign.com_83bcae31c2be9cfb988eb4cb5150a6a0.vir
File created	C:\Windows\System\hYAtTFV.exe	virussign.com_83bcae31c2be9cfb988eb4cb5150a6a0.vir
File created	C:\Windows\System\STllQVw.exe	virussign.com_83bcae31c2be9cfb988eb4cb5150a6a0.vir
File created	C:\Windows\System\EVmwZTS.exe	virussign.com_83bcae31c2be9cfb988eb4cb5150a6a0.vir
File created	C:\Windows\System\dKAYWPx.exe	virussign.com_83bcae31c2be9cfb988eb4cb5150a6a0.vir
File created	C:\Windows\System\igoUTGo.exe	virussign.com_83bcae31c2be9cfb988eb4cb5150a6a0.vir
File created	C:\Windows\System\SomMtrV.exe	virussign.com_83bcae31c2be9cfb988eb4cb5150a6a0.vir
File created	C:\Windows\System\HDClfiJ.exe	virussign.com_83bcae31c2be9cfb988eb4cb5150a6a0.vir
File created	C:\Windows\System\EjKjJZV.exe	virussign.com_83bcae31c2be9cfb988eb4cb5150a6a0.vir
File created	C:\Windows\System\FyHVsrH.exe	virussign.com_83bcae31c2be9cfb988eb4cb5150a6a0.vir
File created	C:\Windows\System\RGSpSmv.exe	virussign.com_83bcae31c2be9cfb988eb4cb5150a6a0.vir
File created	C:\Windows\System\GKibona.exe	virussign.com_83bcae31c2be9cfb988eb4cb5150a6a0.vir
File created	C:\Windows\System\riDqDNq.exe	virussign.com_83bcae31c2be9cfb988eb4cb5150a6a0.vir
File created	C:\Windows\System\eLXrTFt.exe	virussign.com_83bcae31c2be9cfb988eb4cb5150a6a0.vir
File created	C:\Windows\System\GqgXMfg.exe	virussign.com_83bcae31c2be9cfb988eb4cb5150a6a0.vir
File created	C:\Windows\System\occWBox.exe	virussign.com_83bcae31c2be9cfb988eb4cb5150a6a0.vir
File created	C:\Windows\System\pLQJGRN.exe	virussign.com_83bcae31c2be9cfb988eb4cb5150a6a0.vir
File created	C:\Windows\System\tIuEkdL.exe	virussign.com_83bcae31c2be9cfb988eb4cb5150a6a0.vir
File opened for modification	C:\Windows\Installer\	Process not Found
File created	C:\Windows\System\xYvwLeE.exe	virussign.com_83bcae31c2be9cfb988eb4cb5150a6a0.vir
File created	C:\Windows\System\eaWulrn.exe	virussign.com_83bcae31c2be9cfb988eb4cb5150a6a0.vir
File created	C:\Windows\System\XrNrJnY.exe	virussign.com_83bcae31c2be9cfb988eb4cb5150a6a0.vir
File created	C:\Windows\System\YuWldSB.exe	virussign.com_83bcae31c2be9cfb988eb4cb5150a6a0.vir
File created	C:\Windows\System\DjCingo.exe	virussign.com_83bcae31c2be9cfb988eb4cb5150a6a0.vir
File created	C:\Windows\System\keIrEvf.exe	virussign.com_83bcae31c2be9cfb988eb4cb5150a6a0.vir
File created	C:\Windows\System\NAVnYaG.exe	virussign.com_83bcae31c2be9cfb988eb4cb5150a6a0.vir
File created	C:\Windows\System\EIhMvNw.exe	virussign.com_83bcae31c2be9cfb988eb4cb5150a6a0.vir
File created	C:\Windows\System\TbhrPDA.exe	virussign.com_83bcae31c2be9cfb988eb4cb5150a6a0.vir
File created	C:\Windows\System\msjhPKe.exe	virussign.com_83bcae31c2be9cfb988eb4cb5150a6a0.vir
File created	C:\Windows\System\cQRqaGk.exe	virussign.com_83bcae31c2be9cfb988eb4cb5150a6a0.vir
File created	C:\Windows\System\WdBXngX.exe	virussign.com_83bcae31c2be9cfb988eb4cb5150a6a0.vir
File created	C:\Windows\System\zIdPGsb.exe	virussign.com_83bcae31c2be9cfb988eb4cb5150a6a0.vir
File created	C:\Windows\System\GrvqqCg.exe	virussign.com_83bcae31c2be9cfb988eb4cb5150a6a0.vir
File created	C:\Windows\System\ZgvbDOD.exe	virussign.com_83bcae31c2be9cfb988eb4cb5150a6a0.vir
File created	C:\Windows\System\XqLCkqJ.exe	virussign.com_83bcae31c2be9cfb988eb4cb5150a6a0.vir
File created	C:\Windows\System\rhEMvpQ.exe	virussign.com_83bcae31c2be9cfb988eb4cb5150a6a0.vir
File created	C:\Windows\System\KLVMfer.exe	virussign.com_83bcae31c2be9cfb988eb4cb5150a6a0.vir
File created	C:\Windows\System\SdyNMnB.exe	virussign.com_83bcae31c2be9cfb988eb4cb5150a6a0.vir
File created	C:\Windows\System\qTSqtjf.exe	virussign.com_83bcae31c2be9cfb988eb4cb5150a6a0.vir
File created	C:\Windows\System\RFxDPNQ.exe	virussign.com_83bcae31c2be9cfb988eb4cb5150a6a0.vir
File created	C:\Windows\System\JaYWpIo.exe	virussign.com_83bcae31c2be9cfb988eb4cb5150a6a0.vir
File created	C:\Windows\System\qWPqJoO.exe	virussign.com_83bcae31c2be9cfb988eb4cb5150a6a0.vir
File created	C:\Windows\System\GvMugxS.exe	virussign.com_83bcae31c2be9cfb988eb4cb5150a6a0.vir
File created	C:\Windows\System\AArFIho.exe	virussign.com_83bcae31c2be9cfb988eb4cb5150a6a0.vir
File created	C:\Windows\System\wayjCDL.exe	virussign.com_83bcae31c2be9cfb988eb4cb5150a6a0.vir
File created	C:\Windows\System\LpNXUrv.exe	virussign.com_83bcae31c2be9cfb988eb4cb5150a6a0.vir
File created	C:\Windows\System\vieDIBf.exe	virussign.com_83bcae31c2be9cfb988eb4cb5150a6a0.vir
File created	C:\Windows\System\xsscwRv.exe	virussign.com_83bcae31c2be9cfb988eb4cb5150a6a0.vir
File created	C:\Windows\System\GnpoLkw.exe	virussign.com_83bcae31c2be9cfb988eb4cb5150a6a0.vir
File created	C:\Windows\System\VUZWGjt.exe	virussign.com_83bcae31c2be9cfb988eb4cb5150a6a0.vir
File created	C:\Windows\System\znCOPhA.exe	virussign.com_83bcae31c2be9cfb988eb4cb5150a6a0.vir
File created	C:\Windows\System\uSHCfHv.exe	virussign.com_83bcae31c2be9cfb988eb4cb5150a6a0.vir
File created	C:\Windows\System\ENlDRjZ.exe	virussign.com_83bcae31c2be9cfb988eb4cb5150a6a0.vir

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 8 IoCs

pid	pid_target	Process	procid_target
3552	5092	WerFault.exe	94
224	2068	WerFault.exe	104
3496	1280	WerFault.exe	86
38384	39540	Process not Found	2378
10828	10212	Process not Found	2796
31032	32472	Process not Found	3600
34516	37208	Process not Found	3663
40340	42928	Process not Found	4528

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opnbae32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dndgfpbo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dqpfmlce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fbmohmoh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FB67.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hlbcnd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfcabp32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	virussign.com_8909a327b78df6f1393349086fed94f0.vir
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Iefgbh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lojmcdgl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
29716	Process not Found

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leecmgpa.dll"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngpekcgb.dll"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Boldhf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdhjjqh.dll"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diohqplg.dll"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gginjc32.dll"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phbcfe32.dll"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmcniamb.dll"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Johmahhb.dll"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdbmge32.dll"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbjlkd32.dll"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Fiqjke32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjemge32.dll"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leboon32.dll"	Koajmepf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgnmff32.dll"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmani32.dll"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pfiddm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Iefgbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnijfj32.dll"	Enmjlojd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Jcanll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljnjmcie.dll"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfpjlgdl.dll"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ojajin32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ombcji32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mneoha32.dll"	Jafdcbge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjemgpnb.dll"	Process not Found

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
35056	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
21480	Process not Found
21480	Process not Found
21480	Process not Found
21480	Process not Found
26004	Process not Found
26004	Process not Found
31496	Process not Found
31496	Process not Found
31496	Process not Found
31496	Process not Found
36084	Process not Found
36084	Process not Found
36084	Process not Found
38360	Process not Found
38360	Process not Found
38360	Process not Found
38360	Process not Found
38360	Process not Found
38360	Process not Found
38360	Process not Found
38360	Process not Found
38360	Process not Found
38360	Process not Found
38360	Process not Found
38360	Process not Found
38360	Process not Found
38360	Process not Found
38360	Process not Found
38360	Process not Found
38360	Process not Found
38360	Process not Found
38360	Process not Found
38360	Process not Found
38360	Process not Found
38360	Process not Found
38360	Process not Found
38360	Process not Found
38360	Process not Found
38360	Process not Found
38360	Process not Found
38360	Process not Found
38360	Process not Found
38360	Process not Found
38360	Process not Found
38360	Process not Found
38360	Process not Found
38360	Process not Found
37224	Process not Found
37224	Process not Found
14384	Process not Found
14384	Process not Found
14384	Process not Found
37224	Process not Found
37224	Process not Found
30996	Process not Found
30996	Process not Found
38928	Process not Found
38928	Process not Found
25788	Process not Found
25788	Process not Found
25788	Process not Found
10012	Process not Found
10012	Process not Found
10012	Process not Found

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2136	7zFM.exe
2388	virussign.com_83bcae31c2be9cfb988eb4cb5150a6a0.vir

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2136	7zFM.exe
Token: 35	2136	7zFM.exe
Token: SeSecurityPrivilege	2136	7zFM.exe
Token: SeDebugPrivilege	21480	Process not Found
Token: SeDebugPrivilege	26004	Process not Found
Token: SeDebugPrivilege	31496	Process not Found
Token: SeDebugPrivilege	36084	Process not Found
Token: SeDebugPrivilege	14384	Process not Found
Token: SeIncBasePriorityPrivilege	38020	Process not Found
Token: SeIncreaseQuotaPrivilege	14384	Process not Found
Token: SeSecurityPrivilege	14384	Process not Found
Token: SeTakeOwnershipPrivilege	14384	Process not Found
Token: SeLoadDriverPrivilege	14384	Process not Found
Token: SeSystemProfilePrivilege	14384	Process not Found
Token: SeSystemtimePrivilege	14384	Process not Found
Token: SeProfSingleProcessPrivilege	14384	Process not Found
Token: SeIncBasePriorityPrivilege	14384	Process not Found
Token: SeCreatePagefilePrivilege	14384	Process not Found
Token: SeBackupPrivilege	14384	Process not Found
Token: SeRestorePrivilege	14384	Process not Found
Token: SeShutdownPrivilege	14384	Process not Found
Token: SeDebugPrivilege	14384	Process not Found
Token: SeSystemEnvironmentPrivilege	14384	Process not Found
Token: SeRemoteShutdownPrivilege	14384	Process not Found
Token: SeUndockPrivilege	14384	Process not Found
Token: SeManageVolumePrivilege	14384	Process not Found
Token: 33	14384	Process not Found
Token: 34	14384	Process not Found
Token: 35	14384	Process not Found
Token: 36	14384	Process not Found
Token: SeIncreaseQuotaPrivilege	14384	Process not Found
Token: SeSecurityPrivilege	14384	Process not Found
Token: SeTakeOwnershipPrivilege	14384	Process not Found
Token: SeLoadDriverPrivilege	14384	Process not Found
Token: SeSystemProfilePrivilege	14384	Process not Found
Token: SeSystemtimePrivilege	14384	Process not Found
Token: SeProfSingleProcessPrivilege	14384	Process not Found
Token: SeIncBasePriorityPrivilege	14384	Process not Found
Token: SeCreatePagefilePrivilege	14384	Process not Found
Token: SeBackupPrivilege	14384	Process not Found
Token: SeRestorePrivilege	14384	Process not Found
Token: SeShutdownPrivilege	14384	Process not Found
Token: SeDebugPrivilege	14384	Process not Found
Token: SeSystemEnvironmentPrivilege	14384	Process not Found
Token: SeRemoteShutdownPrivilege	14384	Process not Found
Token: SeUndockPrivilege	14384	Process not Found
Token: SeManageVolumePrivilege	14384	Process not Found
Token: 33	14384	Process not Found
Token: 34	14384	Process not Found
Token: 35	14384	Process not Found
Token: 36	14384	Process not Found
Token: SeIncreaseQuotaPrivilege	14384	Process not Found
Token: SeSecurityPrivilege	14384	Process not Found
Token: SeTakeOwnershipPrivilege	14384	Process not Found
Token: SeLoadDriverPrivilege	14384	Process not Found
Token: SeSystemProfilePrivilege	14384	Process not Found
Token: SeSystemtimePrivilege	14384	Process not Found
Token: SeProfSingleProcessPrivilege	14384	Process not Found
Token: SeIncBasePriorityPrivilege	14384	Process not Found
Token: SeCreatePagefilePrivilege	14384	Process not Found
Token: SeBackupPrivilege	14384	Process not Found
Token: SeRestorePrivilege	14384	Process not Found
Token: SeShutdownPrivilege	14384	Process not Found
Token: SeDebugPrivilege	14384	Process not Found

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2136	7zFM.exe
2136	7zFM.exe
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found
14764	Process not Found

Suspicious use of SetWindowsHookEx 32 IoCs

pid	Process
1280	virussign.com_05c3078160025e055e31b207b2c9fae0.vir
2436	OpenWith.exe
2284	virussign.com_176ead841fd513c687d7bb949df1b790.vir
5092	virussign.com_116ce2a1fd49210068a0f473842d5040.vir
2020	OpenWith.exe
3816	virussign.com_1c03261b3c48f6ee44730d62e5c70ec0.vir
4708	virussign.com_20bb9d6e02a7abd5ed80b5211a3f6020.vir
4172	virussign.com_2d9a6d9b9052b149d0f080b2f1a9f0b0.vir
2324	virussign.com_43e1fe6e5f9bab4195ccda4978913650.vir
4924	virussign.com_5884d29c32afb422ab56a704852d5d10.vir
2604	virussign.com_5e3faf8e84b4daf17f924222348b7e40.vir
2288	virussign.com_63b60ea31621845106b84ffadd595450.vir
784	OpenWith.exe
4084	virussign.com_77c61a9112891c7e9515b8c233057ce0.vir
2036	virussign.com_7e107c53eca43a4993f3217ecdf067e0.vir
3468	virussign.com_83718ff205885ef58de7f4bd0066b8c0.vir
1780	OpenWith.exe
3932	virussign.com_8df053c876529979fc9aa0b52c344150.vir
7480	OpenWith.exe
21096	Process not Found
25568	Process not Found
38360	Process not Found
38360	Process not Found
35416	Process not Found
14424	Process not Found
11148	Process not Found
12340	Process not Found
21628	Process not Found
24772	Process not Found
17872	Process not Found
23444	Process not Found
39968	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 4648	2796	cmd.exe	82
PID 2796 wrote to memory of 4648	2796	cmd.exe	82
PID 2796 wrote to memory of 4648	2796	cmd.exe	82
PID 2796 wrote to memory of 4768	2796	cmd.exe	83
PID 2796 wrote to memory of 4768	2796	cmd.exe	83
PID 2796 wrote to memory of 4768	2796	cmd.exe	83
PID 2796 wrote to memory of 3236	2796	cmd.exe	85
PID 2796 wrote to memory of 3236	2796	cmd.exe	85
PID 2796 wrote to memory of 3236	2796	cmd.exe	85
PID 2796 wrote to memory of 1280	2796	cmd.exe	86
PID 2796 wrote to memory of 1280	2796	cmd.exe	86
PID 2796 wrote to memory of 1280	2796	cmd.exe	86
PID 2796 wrote to memory of 4876	2796	cmd.exe	88
PID 2796 wrote to memory of 4876	2796	cmd.exe	88
PID 2796 wrote to memory of 4876	2796	cmd.exe	88
PID 2796 wrote to memory of 920	2796	cmd.exe	89
PID 2796 wrote to memory of 920	2796	cmd.exe	89
PID 2796 wrote to memory of 920	2796	cmd.exe	89
PID 2796 wrote to memory of 3276	2796	cmd.exe	90
PID 2796 wrote to memory of 3276	2796	cmd.exe	90
PID 2796 wrote to memory of 3276	2796	cmd.exe	90
PID 3276 wrote to memory of 3120	3276	virussign.com_0dd8d726d0931d83c953ba0e2abbb9a0.vir	93
PID 3276 wrote to memory of 3120	3276	virussign.com_0dd8d726d0931d83c953ba0e2abbb9a0.vir	93
PID 3276 wrote to memory of 3120	3276	virussign.com_0dd8d726d0931d83c953ba0e2abbb9a0.vir	93
PID 2796 wrote to memory of 5092	2796	cmd.exe	163
PID 2796 wrote to memory of 5092	2796	cmd.exe	163
PID 2796 wrote to memory of 5092	2796	cmd.exe	163
PID 2796 wrote to memory of 2284	2796	cmd.exe	95
PID 2796 wrote to memory of 2284	2796	cmd.exe	95
PID 2796 wrote to memory of 2284	2796	cmd.exe	95
PID 2796 wrote to memory of 3816	2796	cmd.exe	96
PID 2796 wrote to memory of 3816	2796	cmd.exe	96
PID 2796 wrote to memory of 3816	2796	cmd.exe	96
PID 2796 wrote to memory of 1000	2796	cmd.exe	97
PID 2796 wrote to memory of 1000	2796	cmd.exe	97
PID 2796 wrote to memory of 1000	2796	cmd.exe	97
PID 2796 wrote to memory of 4708	2796	cmd.exe	100
PID 2796 wrote to memory of 4708	2796	cmd.exe	100
PID 2796 wrote to memory of 4708	2796	cmd.exe	100
PID 2796 wrote to memory of 2860	2796	cmd.exe	174
PID 2796 wrote to memory of 2860	2796	cmd.exe	174
PID 2796 wrote to memory of 2860	2796	cmd.exe	174
PID 2796 wrote to memory of 4172	2796	cmd.exe	102
PID 2796 wrote to memory of 4172	2796	cmd.exe	102
PID 2796 wrote to memory of 4172	2796	cmd.exe	102
PID 2796 wrote to memory of 3920	2796	cmd.exe	103
PID 2796 wrote to memory of 3920	2796	cmd.exe	103
PID 2796 wrote to memory of 3920	2796	cmd.exe	103
PID 2796 wrote to memory of 2068	2796	cmd.exe	104
PID 2796 wrote to memory of 2068	2796	cmd.exe	104
PID 2796 wrote to memory of 2068	2796	cmd.exe	104
PID 2796 wrote to memory of 2332	2796	cmd.exe	105
PID 2796 wrote to memory of 2332	2796	cmd.exe	105
PID 2796 wrote to memory of 2332	2796	cmd.exe	105
PID 2796 wrote to memory of 2324	2796	cmd.exe	113
PID 2796 wrote to memory of 2324	2796	cmd.exe	113
PID 2796 wrote to memory of 2324	2796	cmd.exe	113
PID 2796 wrote to memory of 4112	2796	cmd.exe	243
PID 2796 wrote to memory of 4112	2796	cmd.exe	243
PID 2796 wrote to memory of 4112	2796	cmd.exe	243
PID 2796 wrote to memory of 1020	2796	cmd.exe	115
PID 2796 wrote to memory of 1020	2796	cmd.exe	115
PID 2796 wrote to memory of 1020	2796	cmd.exe	115
PID 2796 wrote to memory of 4924	2796	cmd.exe	116

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3368
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\virussign.com_20241209_LimitedFree.zip"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2136
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Users\Admin\Desktop\malwar\virussign.com_02086fe70be8b2f98a26c8976ebffa50.vir
    virussign.com_02086fe70be8b2f98a26c8976ebffa50.vir
    3⤵
    - Executes dropped EXE
    PID:4648
- - C:\Users\Admin\Desktop\malwar\virussign.com_02086fe70be8b2f98a26c8976ebffa50.vir
    virussign.com_02086fe70be8b2f98a26c8976ebffa50.vir
    3⤵
    - Executes dropped EXE
    PID:4768
- - C:\Users\Admin\Desktop\malwar\virussign.com_02430a5aa0fade970b559057312773f0.vir
    virussign.com_02430a5aa0fade970b559057312773f0.vir
    3⤵
    - Executes dropped EXE
    PID:3236
- - C:\Users\Admin\Desktop\malwar\virussign.com_05c3078160025e055e31b207b2c9fae0.vir
    virussign.com_05c3078160025e055e31b207b2c9fae0.vir
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1280
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1280 -s 592
      4⤵
      Program crash
      PID:3496
- - C:\Users\Admin\Desktop\malwar\virussign.com_0a048f1cdb9480e46de3c80728806f10.vir
    virussign.com_0a048f1cdb9480e46de3c80728806f10.vir
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:4876
- - C:\Users\Admin\Desktop\malwar\virussign.com_0b9d792e46792ac3ae996fab5d916810.vir
    virussign.com_0b9d792e46792ac3ae996fab5d916810.vir
    3⤵
    - Executes dropped EXE
    PID:920
- - C:\Users\Admin\Desktop\malwar\virussign.com_0dd8d726d0931d83c953ba0e2abbb9a0.vir
    virussign.com_0dd8d726d0931d83c953ba0e2abbb9a0.vir
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3276
  - - C:\Windows\microsofthelp.exe
      "C:\Windows\microsofthelp.exe"
      4⤵
      Executes dropped EXE
      PID:3120
- - C:\Users\Admin\Desktop\malwar\virussign.com_116ce2a1fd49210068a0f473842d5040.vir
    virussign.com_116ce2a1fd49210068a0f473842d5040.vir
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5092
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 532
      4⤵
      Program crash
      PID:3552
- - C:\Users\Admin\Desktop\malwar\virussign.com_176ead841fd513c687d7bb949df1b790.vir
    virussign.com_176ead841fd513c687d7bb949df1b790.vir
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2284
- - C:\Users\Admin\Desktop\malwar\virussign.com_1c03261b3c48f6ee44730d62e5c70ec0.vir
    virussign.com_1c03261b3c48f6ee44730d62e5c70ec0.vir
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3816
- - C:\Users\Admin\Desktop\malwar\virussign.com_1c6a0eb754eb16314dc4cdfaf6297330.vir
    virussign.com_1c6a0eb754eb16314dc4cdfaf6297330.vir
    3⤵
    - Executes dropped EXE
    PID:1000
- - C:\Users\Admin\Desktop\malwar\virussign.com_20bb9d6e02a7abd5ed80b5211a3f6020.vir
    virussign.com_20bb9d6e02a7abd5ed80b5211a3f6020.vir
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4708
- - C:\Users\Admin\Desktop\malwar\virussign.com_26dd5367688cd475f2ff8d7ec0410230.vir
    virussign.com_26dd5367688cd475f2ff8d7ec0410230.vir
    3⤵
    - Executes dropped EXE
    PID:2860
- - C:\Users\Admin\Desktop\malwar\virussign.com_2d9a6d9b9052b149d0f080b2f1a9f0b0.vir
    virussign.com_2d9a6d9b9052b149d0f080b2f1a9f0b0.vir
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4172
- - C:\Users\Admin\Desktop\malwar\virussign.com_3480729f9572c299fcc9e8cd77904ca0.vir
    virussign.com_3480729f9572c299fcc9e8cd77904ca0.vir
    3⤵
    - Executes dropped EXE
    PID:3920
- - C:\Users\Admin\Desktop\malwar\virussign.com_37c7709ab0aed9b20b56ed66a7d12100.vir
    virussign.com_37c7709ab0aed9b20b56ed66a7d12100.vir
    3⤵
    - Executes dropped EXE
    PID:2068
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 420
      4⤵
      Program crash
      PID:224
- - C:\Users\Admin\Desktop\malwar\virussign.com_3bb1202078a92cea11a60eb07a588940.vir
    virussign.com_3bb1202078a92cea11a60eb07a588940.vir
    3⤵
    - Executes dropped EXE
    PID:2332
- - C:\Users\Admin\Desktop\malwar\virussign.com_43e1fe6e5f9bab4195ccda4978913650.vir
    virussign.com_43e1fe6e5f9bab4195ccda4978913650.vir
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2324
- - C:\Users\Admin\Desktop\malwar\virussign.com_48c9dc42ce81f9c3af8c82aa6517f370.vir
    virussign.com_48c9dc42ce81f9c3af8c82aa6517f370.vir
    3⤵
    - Executes dropped EXE
    PID:4112
- - C:\Users\Admin\Desktop\malwar\virussign.com_5189ffb7311dfb72033379662d41ce60.vir
    virussign.com_5189ffb7311dfb72033379662d41ce60.vir
    3⤵
    - Executes dropped EXE
    PID:1020
- - C:\Users\Admin\Desktop\malwar\virussign.com_5884d29c32afb422ab56a704852d5d10.vir
    virussign.com_5884d29c32afb422ab56a704852d5d10.vir
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4924
- - C:\Users\Admin\Desktop\malwar\virussign.com_5d7e49a025c7561f46a4243448cd8850.vir
    virussign.com_5d7e49a025c7561f46a4243448cd8850.vir
    3⤵
    - Executes dropped EXE
    PID:940
  - - C:\Users\Admin\AppData\Local\Temp\FB67.exe
      "C:\Users\Admin\AppData\Local\Temp\FB67.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2612
    - - C:\Users\Admin\AppData\Local\Temp\3247319787.exe
        
        C:\Users\Admin\AppData\Local\Temp\3247319787.exe
        5⤵
        Adds Run key to start application
        
        PID:9212
      - C:\Windows\sysnldcvmr.exe
        
        C:\Windows\sysnldcvmr.exe
        6⤵
        
        PID:6692
- - C:\Users\Admin\Desktop\malwar\virussign.com_5e3faf8e84b4daf17f924222348b7e40.vir
    virussign.com_5e3faf8e84b4daf17f924222348b7e40.vir
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2604
- - C:\Users\Admin\Desktop\malwar\virussign.com_63b60ea31621845106b84ffadd595450.vir
    virussign.com_63b60ea31621845106b84ffadd595450.vir
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2288
- - C:\Users\Admin\Desktop\malwar\virussign.com_69a1ca89bba5eaf5c37d957e5dfa2100.vir
    virussign.com_69a1ca89bba5eaf5c37d957e5dfa2100.vir
    3⤵
    - Executes dropped EXE
    PID:3060
- - C:\Users\Admin\Desktop\malwar\virussign.com_6fa46e2ce246a8b475b1e9ab31ff9a90.vir
    virussign.com_6fa46e2ce246a8b475b1e9ab31ff9a90.vir
    3⤵
    - Executes dropped EXE
    PID:3388
- - C:\Users\Admin\Desktop\malwar\virussign.com_77c61a9112891c7e9515b8c233057ce0.vir
    virussign.com_77c61a9112891c7e9515b8c233057ce0.vir
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4084
- - C:\Users\Admin\Desktop\malwar\virussign.com_7e107c53eca43a4993f3217ecdf067e0.vir
    virussign.com_7e107c53eca43a4993f3217ecdf067e0.vir
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2036
- - C:\Users\Admin\Desktop\malwar\virussign.com_83718ff205885ef58de7f4bd0066b8c0.vir
    virussign.com_83718ff205885ef58de7f4bd0066b8c0.vir
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3468
- - C:\Users\Admin\Desktop\malwar\virussign.com_83bcae31c2be9cfb988eb4cb5150a6a0.vir
    virussign.com_83bcae31c2be9cfb988eb4cb5150a6a0.vir
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2388
  - - C:\Windows\System\YkpgUdx.exe
      C:\Windows\System\YkpgUdx.exe
      4⤵
      Executes dropped EXE
      PID:1272
  - - C:\Windows\System\nTaSbpd.exe
      C:\Windows\System\nTaSbpd.exe
      4⤵
      Executes dropped EXE
      PID:4680
  - - C:\Windows\System\tDgMlTj.exe
      C:\Windows\System\tDgMlTj.exe
      4⤵
      Executes dropped EXE
      PID:4864
  - - C:\Windows\System\dWvjqLX.exe
      C:\Windows\System\dWvjqLX.exe
      4⤵
      Executes dropped EXE
      PID:4504
  - - C:\Windows\System\NvcUeug.exe
      C:\Windows\System\NvcUeug.exe
      4⤵
      Executes dropped EXE
      PID:4840
  - - C:\Windows\System\XdmrKJp.exe
      C:\Windows\System\XdmrKJp.exe
      4⤵
      Executes dropped EXE
      PID:4396
  - - C:\Windows\System\PWIuFCQ.exe
      C:\Windows\System\PWIuFCQ.exe
      4⤵
      Executes dropped EXE
      PID:4428
  - - C:\Windows\System\FfxmTHa.exe
      C:\Windows\System\FfxmTHa.exe
      4⤵
      Executes dropped EXE
      PID:4296
  - - C:\Windows\System\cATTAQN.exe
      C:\Windows\System\cATTAQN.exe
      4⤵
      Executes dropped EXE
      PID:3776
  - - C:\Windows\System\AdfpKfT.exe
      C:\Windows\System\AdfpKfT.exe
      4⤵
      Executes dropped EXE
      PID:4968
  - - C:\Windows\System\grsOIvi.exe
      C:\Windows\System\grsOIvi.exe
      4⤵
      Executes dropped EXE
      PID:4416
  - - C:\Windows\System\zplrGRr.exe
      C:\Windows\System\zplrGRr.exe
      4⤵
      Executes dropped EXE
      PID:384
  - - C:\Windows\System\xqwFlWk.exe
      C:\Windows\System\xqwFlWk.exe
      4⤵
      Executes dropped EXE
      PID:2432
  - - C:\Windows\System\PxRqrWb.exe
      C:\Windows\System\PxRqrWb.exe
      4⤵
      Executes dropped EXE
      PID:4824
  - - C:\Windows\System\vdfpMaZ.exe
      C:\Windows\System\vdfpMaZ.exe
      4⤵
      Executes dropped EXE
      PID:4692
  - - C:\Windows\System\DbMNmnr.exe
      C:\Windows\System\DbMNmnr.exe
      4⤵
      Executes dropped EXE
      PID:3352
  - - C:\Windows\System\CDjlnLY.exe
      C:\Windows\System\CDjlnLY.exe
      4⤵
      Executes dropped EXE
      PID:2704
  - - C:\Windows\System\wauIVcS.exe
      C:\Windows\System\wauIVcS.exe
      4⤵
      Executes dropped EXE
      PID:2740
  - - C:\Windows\System\qyPGCOg.exe
      C:\Windows\System\qyPGCOg.exe
      4⤵
      Executes dropped EXE
      PID:3404
  - - C:\Windows\System\tIAoOgG.exe
      C:\Windows\System\tIAoOgG.exe
      4⤵
      Executes dropped EXE
      PID:652
  - - C:\Windows\System\CSpOGBL.exe
      C:\Windows\System\CSpOGBL.exe
      4⤵
      Executes dropped EXE
      PID:1656
  - - C:\Windows\System\hdgsUZl.exe
      C:\Windows\System\hdgsUZl.exe
      4⤵
      Executes dropped EXE
      PID:900
  - - C:\Windows\System\QikCIUV.exe
      C:\Windows\System\QikCIUV.exe
      4⤵
      Executes dropped EXE
      PID:1856
  - - C:\Windows\System\rIfmBSx.exe
      C:\Windows\System\rIfmBSx.exe
      4⤵
      Executes dropped EXE
      PID:2836
  - - C:\Windows\System\NbcQWyP.exe
      C:\Windows\System\NbcQWyP.exe
      4⤵
      Executes dropped EXE
      PID:424
  - - C:\Windows\System\NKuFdxP.exe
      C:\Windows\System\NKuFdxP.exe
      4⤵
      Executes dropped EXE
      PID:1972
  - - C:\Windows\System\jrKMTEM.exe
      C:\Windows\System\jrKMTEM.exe
      4⤵
      Executes dropped EXE
      PID:3340
  - - C:\Windows\System\bBwzfrB.exe
      C:\Windows\System\bBwzfrB.exe
      4⤵
      Executes dropped EXE
      PID:568
  - - C:\Windows\System\YKQyLic.exe
      C:\Windows\System\YKQyLic.exe
      4⤵
      Executes dropped EXE
      PID:2304
  - - C:\Windows\System\gavtdsw.exe
      C:\Windows\System\gavtdsw.exe
      4⤵
      PID:4300
  - - C:\Windows\System\jvRNQHD.exe
      C:\Windows\System\jvRNQHD.exe
      4⤵
      Executes dropped EXE
      PID:5092
  - - C:\Windows\System\PCQJOkz.exe
      C:\Windows\System\PCQJOkz.exe
      4⤵
      Executes dropped EXE
      PID:3028
  - - C:\Windows\System\AgEaCsM.exe
      C:\Windows\System\AgEaCsM.exe
      4⤵
      PID:4004
  - - C:\Windows\System\ONbQlxG.exe
      C:\Windows\System\ONbQlxG.exe
      4⤵
      PID:3508
  - - C:\Windows\System\ifllUGC.exe
      C:\Windows\System\ifllUGC.exe
      4⤵
      PID:964
  - - C:\Windows\System\moUEsnt.exe
      C:\Windows\System\moUEsnt.exe
      4⤵
      PID:2500
  - - C:\Windows\System\IzODZtb.exe
      C:\Windows\System\IzODZtb.exe
      4⤵
      PID:5064
  - - C:\Windows\System\aYGfMzo.exe
      C:\Windows\System\aYGfMzo.exe
      4⤵
      PID:1944
  - - C:\Windows\System\pGdeoCR.exe
      C:\Windows\System\pGdeoCR.exe
      4⤵
      PID:2264
  - - C:\Windows\System\qxaJqLp.exe
      C:\Windows\System\qxaJqLp.exe
      4⤵
      PID:3928
  - - C:\Windows\System\BvWysvE.exe
      C:\Windows\System\BvWysvE.exe
      4⤵
      PID:1056
  - - C:\Windows\System\NdHIqFI.exe
      C:\Windows\System\NdHIqFI.exe
      4⤵
      PID:2860
  - - C:\Windows\System\DKDQWTc.exe
      C:\Windows\System\DKDQWTc.exe
      4⤵
      PID:3480
  - - C:\Windows\System\BeegioP.exe
      C:\Windows\System\BeegioP.exe
      4⤵
      PID:2728
  - - C:\Windows\System\kyjJEyl.exe
      C:\Windows\System\kyjJEyl.exe
      4⤵
      PID:2200
  - - C:\Windows\System\moyUybU.exe
      C:\Windows\System\moyUybU.exe
      4⤵
      PID:2600
  - - C:\Windows\System\zhvjbam.exe
      C:\Windows\System\zhvjbam.exe
      4⤵
      PID:3524
  - - C:\Windows\System\EZVhlEu.exe
      C:\Windows\System\EZVhlEu.exe
      4⤵
      PID:1872
  - - C:\Windows\System\rnexFTh.exe
      C:\Windows\System\rnexFTh.exe
      4⤵
      PID:3780
  - - C:\Windows\System\IGpZcwq.exe
      C:\Windows\System\IGpZcwq.exe
      4⤵
      PID:1688
  - - C:\Windows\System\gJuenmD.exe
      C:\Windows\System\gJuenmD.exe
      4⤵
      PID:4836
  - - C:\Windows\System\VTSQBDz.exe
      C:\Windows\System\VTSQBDz.exe
      4⤵
      PID:2020
  - - C:\Windows\System\FuZqITx.exe
      C:\Windows\System\FuZqITx.exe
      4⤵
      PID:3896
  - - C:\Windows\System\ZMFOOFB.exe
      C:\Windows\System\ZMFOOFB.exe
      4⤵
      PID:3824
  - - C:\Windows\System\kAGPshs.exe
      C:\Windows\System\kAGPshs.exe
      4⤵
      PID:5088
  - - C:\Windows\System\ZgugEmb.exe
      C:\Windows\System\ZgugEmb.exe
      4⤵
      PID:1448
  - - C:\Windows\System\VyuCJFG.exe
      C:\Windows\System\VyuCJFG.exe
      4⤵
      PID:4552
  - - C:\Windows\System\JQTEoce.exe
      C:\Windows\System\JQTEoce.exe
      4⤵
      PID:4592
  - - C:\Windows\System\BstYjIX.exe
      C:\Windows\System\BstYjIX.exe
      4⤵
      PID:3040
  - - C:\Windows\System\VPfzbYu.exe
      C:\Windows\System\VPfzbYu.exe
      4⤵
      PID:580
  - - C:\Windows\System\BIRlLip.exe
      C:\Windows\System\BIRlLip.exe
      4⤵
      PID:1304
  - - C:\Windows\System\pzdUaBY.exe
      C:\Windows\System\pzdUaBY.exe
      4⤵
      PID:3424
  - - C:\Windows\System\xTWOHtj.exe
      C:\Windows\System\xTWOHtj.exe
      4⤵
      PID:3536
  - - C:\Windows\System\wDyNwDl.exe
      C:\Windows\System\wDyNwDl.exe
      4⤵
      PID:5152
  - - C:\Windows\System\zNQyGjc.exe
      C:\Windows\System\zNQyGjc.exe
      4⤵
      PID:5180
  - - C:\Windows\System\bAMRIKm.exe
      C:\Windows\System\bAMRIKm.exe
      4⤵
      PID:5200
  - - C:\Windows\System\hkKopfg.exe
      C:\Windows\System\hkKopfg.exe
      4⤵
      PID:5216
  - - C:\Windows\System\CSSqMMQ.exe
      C:\Windows\System\CSSqMMQ.exe
      4⤵
      PID:5232
  - - C:\Windows\System\jDsbjFl.exe
      C:\Windows\System\jDsbjFl.exe
      4⤵
      PID:5248
  - - C:\Windows\System\gDMdIuz.exe
      C:\Windows\System\gDMdIuz.exe
      4⤵
      PID:5316
  - - C:\Windows\System\aFnukGw.exe
      C:\Windows\System\aFnukGw.exe
      4⤵
      PID:5360
  - - C:\Windows\System\sCGwkOt.exe
      C:\Windows\System\sCGwkOt.exe
      4⤵
      PID:5376
  - - C:\Windows\System\iLRMXRU.exe
      C:\Windows\System\iLRMXRU.exe
      4⤵
      PID:5392
  - - C:\Windows\System\aLBfsWy.exe
      C:\Windows\System\aLBfsWy.exe
      4⤵
      PID:5408
  - - C:\Windows\System\URWLfPQ.exe
      C:\Windows\System\URWLfPQ.exe
      4⤵
      PID:5428
  - - C:\Windows\System\WMDmIvY.exe
      C:\Windows\System\WMDmIvY.exe
      4⤵
      PID:5452
  - - C:\Windows\System\rPOQdUl.exe
      C:\Windows\System\rPOQdUl.exe
      4⤵
      PID:5472
  - - C:\Windows\System\JcGtRGX.exe
      C:\Windows\System\JcGtRGX.exe
      4⤵
      PID:5488
  - - C:\Windows\System\dPrVfgD.exe
      C:\Windows\System\dPrVfgD.exe
      4⤵
      PID:5512
  - - C:\Windows\System\lwHpxgF.exe
      C:\Windows\System\lwHpxgF.exe
      4⤵
      PID:5556
  - - C:\Windows\System\OxEmUnt.exe
      C:\Windows\System\OxEmUnt.exe
      4⤵
      PID:5584
  - - C:\Windows\System\HeSHdrz.exe
      C:\Windows\System\HeSHdrz.exe
      4⤵
      PID:5628
  - - C:\Windows\System\OzpbWaf.exe
      C:\Windows\System\OzpbWaf.exe
      4⤵
      PID:5660
  - - C:\Windows\System\ewkYEBX.exe
      C:\Windows\System\ewkYEBX.exe
      4⤵
      PID:5684
  - - C:\Windows\System\azhAsHr.exe
      C:\Windows\System\azhAsHr.exe
      4⤵
      PID:5704
  - - C:\Windows\System\fVmtRgL.exe
      C:\Windows\System\fVmtRgL.exe
      4⤵
      PID:5736
  - - C:\Windows\System\tQzHoLQ.exe
      C:\Windows\System\tQzHoLQ.exe
      4⤵
      PID:5776
  - - C:\Windows\System\tNJUMfc.exe
      C:\Windows\System\tNJUMfc.exe
      4⤵
      PID:5800
  - - C:\Windows\System\swCFOvd.exe
      C:\Windows\System\swCFOvd.exe
      4⤵
      PID:5816
  - - C:\Windows\System\vfTbWUT.exe
      C:\Windows\System\vfTbWUT.exe
      4⤵
      PID:5832
  - - C:\Windows\System\XYygtLr.exe
      C:\Windows\System\XYygtLr.exe
      4⤵
      PID:5880
  - - C:\Windows\System\EquCaQk.exe
      C:\Windows\System\EquCaQk.exe
      4⤵
      PID:5900
  - - C:\Windows\System\xZwgdHe.exe
      C:\Windows\System\xZwgdHe.exe
      4⤵
      PID:5932
  - - C:\Windows\System\tPkAzmM.exe
      C:\Windows\System\tPkAzmM.exe
      4⤵
      PID:5980
  - - C:\Windows\System\WPhxKQr.exe
      C:\Windows\System\WPhxKQr.exe
      4⤵
      PID:6004
  - - C:\Windows\System\XQojKiE.exe
      C:\Windows\System\XQojKiE.exe
      4⤵
      PID:6052
  - - C:\Windows\System\LSHEAsw.exe
      C:\Windows\System\LSHEAsw.exe
      4⤵
      PID:6068
  - - C:\Windows\System\ipSUcFh.exe
      C:\Windows\System\ipSUcFh.exe
      4⤵
      PID:6088
  - - C:\Windows\System\SKkqxVJ.exe
      C:\Windows\System\SKkqxVJ.exe
      4⤵
      PID:6120
  - - C:\Windows\System\jhXnyyf.exe
      C:\Windows\System\jhXnyyf.exe
      4⤵
      PID:1116
  - - C:\Windows\System\QPBldqJ.exe
      C:\Windows\System\QPBldqJ.exe
      4⤵
      PID:2072
  - - C:\Windows\System\TGhxeCW.exe
      C:\Windows\System\TGhxeCW.exe
      4⤵
      PID:4112
  - - C:\Windows\System\tEfomLr.exe
      C:\Windows\System\tEfomLr.exe
      4⤵
      PID:5188
  - - C:\Windows\System\RJhkoZC.exe
      C:\Windows\System\RJhkoZC.exe
      4⤵
      PID:4612
  - - C:\Windows\System\gceclBi.exe
      C:\Windows\System\gceclBi.exe
      4⤵
      PID:5176
  - - C:\Windows\System\dzhgAJz.exe
      C:\Windows\System\dzhgAJz.exe
      4⤵
      PID:5356
  - - C:\Windows\System\ysdfZbf.exe
      C:\Windows\System\ysdfZbf.exe
      4⤵
      PID:5168
  - - C:\Windows\System\mhKNASg.exe
      C:\Windows\System\mhKNASg.exe
      4⤵
      PID:5448
  - - C:\Windows\System\TtuVafl.exe
      C:\Windows\System\TtuVafl.exe
      4⤵
      PID:5528
  - - C:\Windows\System\KBhVvHw.exe
      C:\Windows\System\KBhVvHw.exe
      4⤵
      PID:5388
  - - C:\Windows\System\FdwziSG.exe
      C:\Windows\System\FdwziSG.exe
      4⤵
      PID:5468
  - - C:\Windows\System\AyXgnqA.exe
      C:\Windows\System\AyXgnqA.exe
      4⤵
      PID:5812
  - - C:\Windows\System\uyfCPFT.exe
      C:\Windows\System\uyfCPFT.exe
      4⤵
      PID:5896
  - - C:\Windows\System\XZKRcSl.exe
      C:\Windows\System\XZKRcSl.exe
      4⤵
      PID:5996
  - - C:\Windows\System\VwNdDKM.exe
      C:\Windows\System\VwNdDKM.exe
      4⤵
      PID:5916
  - - C:\Windows\System\BETUoaF.exe
      C:\Windows\System\BETUoaF.exe
      4⤵
      PID:5788
  - - C:\Windows\System\HjUrmhZ.exe
      C:\Windows\System\HjUrmhZ.exe
      4⤵
      PID:6132
  - - C:\Windows\System\aEXXTGJ.exe
      C:\Windows\System\aEXXTGJ.exe
      4⤵
      PID:6076
  - - C:\Windows\System\uZHxDAh.exe
      C:\Windows\System\uZHxDAh.exe
      4⤵
      PID:1348
  - - C:\Windows\System\vrlOsjo.exe
      C:\Windows\System\vrlOsjo.exe
      4⤵
      PID:5416
  - - C:\Windows\System\muKEDOo.exe
      C:\Windows\System\muKEDOo.exe
      4⤵
      PID:3388
  - - C:\Windows\System\ZNrJgIy.exe
      C:\Windows\System\ZNrJgIy.exe
      4⤵
      PID:6176
  - - C:\Windows\System\EWNEtVj.exe
      C:\Windows\System\EWNEtVj.exe
      4⤵
      PID:6212
  - - C:\Windows\System\QsTMgOl.exe
      C:\Windows\System\QsTMgOl.exe
      4⤵
      PID:6248
  - - C:\Windows\System\ehOkqnJ.exe
      C:\Windows\System\ehOkqnJ.exe
      4⤵
      PID:6300
  - - C:\Windows\System\vvMpmoL.exe
      C:\Windows\System\vvMpmoL.exe
      4⤵
      PID:6364
  - - C:\Windows\System\UgiZaPQ.exe
      C:\Windows\System\UgiZaPQ.exe
      4⤵
      PID:6400
  - - C:\Windows\System\DqZXDiJ.exe
      C:\Windows\System\DqZXDiJ.exe
      4⤵
      PID:6420
  - - C:\Windows\System\WwbggSl.exe
      C:\Windows\System\WwbggSl.exe
      4⤵
      PID:6452
  - - C:\Windows\System\ETxWdKX.exe
      C:\Windows\System\ETxWdKX.exe
      4⤵
      PID:6484
  - - C:\Windows\System\dtLejSt.exe
      C:\Windows\System\dtLejSt.exe
      4⤵
      PID:6500
  - - C:\Windows\System\btGZWmf.exe
      C:\Windows\System\btGZWmf.exe
      4⤵
      PID:6544
  - - C:\Windows\System\nIVVDcz.exe
      C:\Windows\System\nIVVDcz.exe
      4⤵
      PID:6592
  - - C:\Windows\System\dDbHnPi.exe
      C:\Windows\System\dDbHnPi.exe
      4⤵
      PID:6624
  - - C:\Windows\System\QzDCtDm.exe
      C:\Windows\System\QzDCtDm.exe
      4⤵
      PID:6652
  - - C:\Windows\System\vkhcgEz.exe
      C:\Windows\System\vkhcgEz.exe
      4⤵
      PID:6684
  - - C:\Windows\System\iLroPke.exe
      C:\Windows\System\iLroPke.exe
      4⤵
      PID:6720
  - - C:\Windows\System\UpOStnB.exe
      C:\Windows\System\UpOStnB.exe
      4⤵
      PID:6760
  - - C:\Windows\System\pAWRqpH.exe
      C:\Windows\System\pAWRqpH.exe
      4⤵
      PID:6796
  - - C:\Windows\System\ZNGxEVb.exe
      C:\Windows\System\ZNGxEVb.exe
      4⤵
      PID:6820
  - - C:\Windows\System\aInoYBj.exe
      C:\Windows\System\aInoYBj.exe
      4⤵
      PID:6844
  - - C:\Windows\System\jtDMUaO.exe
      C:\Windows\System\jtDMUaO.exe
      4⤵
      PID:6876
  - - C:\Windows\System\zRIyarP.exe
      C:\Windows\System\zRIyarP.exe
      4⤵
      PID:6908
  - - C:\Windows\System\LuonjPz.exe
      C:\Windows\System\LuonjPz.exe
      4⤵
      PID:6944
  - - C:\Windows\System\ZWifWrL.exe
      C:\Windows\System\ZWifWrL.exe
      4⤵
      PID:6968
  - - C:\Windows\System\EuAXPxM.exe
      C:\Windows\System\EuAXPxM.exe
      4⤵
      PID:6996
  - - C:\Windows\System\YcwvgVu.exe
      C:\Windows\System\YcwvgVu.exe
      4⤵
      PID:7036
  - - C:\Windows\System\CWVUUOR.exe
      C:\Windows\System\CWVUUOR.exe
      4⤵
      PID:7068
  - - C:\Windows\System\sVYcNOU.exe
      C:\Windows\System\sVYcNOU.exe
      4⤵
      PID:7096
  - - C:\Windows\System\grEVzTA.exe
      C:\Windows\System\grEVzTA.exe
      4⤵
      PID:7120
  - - C:\Windows\System\MgTrxLE.exe
      C:\Windows\System\MgTrxLE.exe
      4⤵
      PID:7144
  - - C:\Windows\System\nOiThgW.exe
      C:\Windows\System\nOiThgW.exe
      4⤵
      PID:6028
  - - C:\Windows\System\uDIZaNS.exe
      C:\Windows\System\uDIZaNS.exe
      4⤵
      PID:5520
  - - C:\Windows\System\xUmbOZz.exe
      C:\Windows\System\xUmbOZz.exe
      4⤵
      PID:5228
  - - C:\Windows\System\RWJDvFS.exe
      C:\Windows\System\RWJDvFS.exe
      4⤵
      PID:6060
  - - C:\Windows\System\xnMpKeq.exe
      C:\Windows\System\xnMpKeq.exe
      4⤵
      PID:6156
  - - C:\Windows\System\kQvkaiI.exe
      C:\Windows\System\kQvkaiI.exe
      4⤵
      PID:6276
  - - C:\Windows\System\oHlDDKN.exe
      C:\Windows\System\oHlDDKN.exe
      4⤵
      PID:5892
  - - C:\Windows\System\pWckpcd.exe
      C:\Windows\System\pWckpcd.exe
      4⤵
      PID:6468
  - - C:\Windows\System\kEKMdDZ.exe
      C:\Windows\System\kEKMdDZ.exe
      4⤵
      PID:6492
  - - C:\Windows\System\dXGCXBW.exe
      C:\Windows\System\dXGCXBW.exe
      4⤵
      PID:6524
  - - C:\Windows\System\cusyToE.exe
      C:\Windows\System\cusyToE.exe
      4⤵
      PID:6608
  - - C:\Windows\System\GaelGbE.exe
      C:\Windows\System\GaelGbE.exe
      4⤵
      PID:6708
  - - C:\Windows\System\shjiRir.exe
      C:\Windows\System\shjiRir.exe
      4⤵
      PID:6648
  - - C:\Windows\System\OtNytmD.exe
      C:\Windows\System\OtNytmD.exe
      4⤵
      PID:6568
  - - C:\Windows\System\fkTbOiG.exe
      C:\Windows\System\fkTbOiG.exe
      4⤵
      PID:7024
  - - C:\Windows\System\VpQuZEh.exe
      C:\Windows\System\VpQuZEh.exe
      4⤵
      PID:7104
  - - C:\Windows\System\NSNAmim.exe
      C:\Windows\System\NSNAmim.exe
      4⤵
      PID:6916
  - - C:\Windows\System\mETqwsn.exe
      C:\Windows\System\mETqwsn.exe
      4⤵
      PID:2532
  - - C:\Windows\System\SxlHQsK.exe
      C:\Windows\System\SxlHQsK.exe
      4⤵
      PID:6788
  - - C:\Windows\System\CHcQrXF.exe
      C:\Windows\System\CHcQrXF.exe
      4⤵
      PID:6840
  - - C:\Windows\System\qiGxSBu.exe
      C:\Windows\System\qiGxSBu.exe
      4⤵
      PID:1368
  - - C:\Windows\System\nBMyLQh.exe
      C:\Windows\System\nBMyLQh.exe
      4⤵
      PID:6476
  - - C:\Windows\System\BSMSJPe.exe
      C:\Windows\System\BSMSJPe.exe
      4⤵
      PID:5508
  - - C:\Windows\System\PHYvzrM.exe
      C:\Windows\System\PHYvzrM.exe
      4⤵
      PID:6872
  - - C:\Windows\System\hdrFBOa.exe
      C:\Windows\System\hdrFBOa.exe
      4⤵
      PID:6664
  - - C:\Windows\System\FEpXFgr.exe
      C:\Windows\System\FEpXFgr.exe
      4⤵
      PID:6516
  - - C:\Windows\System\QvImFok.exe
      C:\Windows\System\QvImFok.exe
      4⤵
      PID:6328
  - - C:\Windows\System\PAWRIAt.exe
      C:\Windows\System\PAWRIAt.exe
      4⤵
      PID:6888
  - - C:\Windows\System\wsjAVyx.exe
      C:\Windows\System\wsjAVyx.exe
      4⤵
      PID:7176
  - - C:\Windows\System\cyFNySu.exe
      C:\Windows\System\cyFNySu.exe
      4⤵
      PID:7208
  - - C:\Windows\System\nIgLGoT.exe
      C:\Windows\System\nIgLGoT.exe
      4⤵
      PID:7236
  - - C:\Windows\System\jtZHitB.exe
      C:\Windows\System\jtZHitB.exe
      4⤵
      PID:7264
  - - C:\Windows\System\aOPKDCg.exe
      C:\Windows\System\aOPKDCg.exe
      4⤵
      PID:7308
  - - C:\Windows\System\pdfyCsr.exe
      C:\Windows\System\pdfyCsr.exe
      4⤵
      PID:7344
  - - C:\Windows\System\rHdnIfO.exe
      C:\Windows\System\rHdnIfO.exe
      4⤵
      PID:7360
  - - C:\Windows\System\sUvNnMO.exe
      C:\Windows\System\sUvNnMO.exe
      4⤵
      PID:7376
  - - C:\Windows\System\qssAHEp.exe
      C:\Windows\System\qssAHEp.exe
      4⤵
      PID:7392
  - - C:\Windows\System\dGVQxBI.exe
      C:\Windows\System\dGVQxBI.exe
      4⤵
      PID:7408
  - - C:\Windows\System\UWjaYcb.exe
      C:\Windows\System\UWjaYcb.exe
      4⤵
      PID:7444
  - - C:\Windows\System\mMpoWKb.exe
      C:\Windows\System\mMpoWKb.exe
      4⤵
      PID:7464
  - - C:\Windows\System\OZyCOoe.exe
      C:\Windows\System\OZyCOoe.exe
      4⤵
      PID:7484
  - - C:\Windows\System\fuyJEtc.exe
      C:\Windows\System\fuyJEtc.exe
      4⤵
      PID:7508
  - - C:\Windows\System\OCTlBcx.exe
      C:\Windows\System\OCTlBcx.exe
      4⤵
      PID:7560
  - - C:\Windows\System\OAxSpLH.exe
      C:\Windows\System\OAxSpLH.exe
      4⤵
      PID:7636
  - - C:\Windows\System\juOMGYM.exe
      C:\Windows\System\juOMGYM.exe
      4⤵
      PID:7688
  - - C:\Windows\System\vZVAPZh.exe
      C:\Windows\System\vZVAPZh.exe
      4⤵
      PID:7720
  - - C:\Windows\System\smGwXtP.exe
      C:\Windows\System\smGwXtP.exe
      4⤵
      PID:7760
  - - C:\Windows\System\QLuaKtG.exe
      C:\Windows\System\QLuaKtG.exe
      4⤵
      PID:7784
  - - C:\Windows\System\EkPpDMW.exe
      C:\Windows\System\EkPpDMW.exe
      4⤵
      PID:7816
  - - C:\Windows\System\efpjICS.exe
      C:\Windows\System\efpjICS.exe
      4⤵
      PID:7848
  - - C:\Windows\System\vEdzWLY.exe
      C:\Windows\System\vEdzWLY.exe
      4⤵
      PID:7872
  - - C:\Windows\System\ETxEExt.exe
      C:\Windows\System\ETxEExt.exe
      4⤵
      PID:7896
  - - C:\Windows\System\byoLtJQ.exe
      C:\Windows\System\byoLtJQ.exe
      4⤵
      PID:7924
  - - C:\Windows\System\iueiOsx.exe
      C:\Windows\System\iueiOsx.exe
      4⤵
      PID:7960
  - - C:\Windows\System\nEgacjn.exe
      C:\Windows\System\nEgacjn.exe
      4⤵
      PID:7992
  - - C:\Windows\System\clBhUWG.exe
      C:\Windows\System\clBhUWG.exe
      4⤵
      PID:8028
  - - C:\Windows\System\jhQSoZh.exe
      C:\Windows\System\jhQSoZh.exe
      4⤵
      PID:8052
  - - C:\Windows\System\PWAnRUE.exe
      C:\Windows\System\PWAnRUE.exe
      4⤵
      PID:8072
  - - C:\Windows\System\JIgNVuW.exe
      C:\Windows\System\JIgNVuW.exe
      4⤵
      PID:8092
  - - C:\Windows\System\jTKgefZ.exe
      C:\Windows\System\jTKgefZ.exe
      4⤵
      PID:8144
  - - C:\Windows\System\pvmrFBy.exe
      C:\Windows\System\pvmrFBy.exe
      4⤵
      PID:8188
  - - C:\Windows\System\KQYCxpB.exe
      C:\Windows\System\KQYCxpB.exe
      4⤵
      PID:6856
  - - C:\Windows\System\ITNFCfb.exe
      C:\Windows\System\ITNFCfb.exe
      4⤵
      PID:6576
  - - C:\Windows\System\ynCifMf.exe
      C:\Windows\System\ynCifMf.exe
      4⤵
      PID:6188
  - - C:\Windows\System\jnNcqvh.exe
      C:\Windows\System\jnNcqvh.exe
      4⤵
      PID:6804
  - - C:\Windows\System\sNisvbc.exe
      C:\Windows\System\sNisvbc.exe
      4⤵
      PID:7280
  - - C:\Windows\System\ZqENmNw.exe
      C:\Windows\System\ZqENmNw.exe
      4⤵
      PID:3924
  - - C:\Windows\System\HFCrUhy.exe
      C:\Windows\System\HFCrUhy.exe
      4⤵
      PID:6264
  - - C:\Windows\System\oSLvTlK.exe
      C:\Windows\System\oSLvTlK.exe
      4⤵
      PID:7300
  - - C:\Windows\System\nITNSwG.exe
      C:\Windows\System\nITNSwG.exe
      4⤵
      PID:7196
  - - C:\Windows\System\qJaxnOV.exe
      C:\Windows\System\qJaxnOV.exe
      4⤵
      PID:7244
  - - C:\Windows\System\WnIOJei.exe
      C:\Windows\System\WnIOJei.exe
      4⤵
      PID:7652
  - - C:\Windows\System\hfOePGO.exe
      C:\Windows\System\hfOePGO.exe
      4⤵
      PID:7804
  - - C:\Windows\System\qGBvEqj.exe
      C:\Windows\System\qGBvEqj.exe
      4⤵
      PID:7668
  - - C:\Windows\System\qzTSAFg.exe
      C:\Windows\System\qzTSAFg.exe
      4⤵
      PID:7604
  - - C:\Windows\System\ECpJNkA.exe
      C:\Windows\System\ECpJNkA.exe
      4⤵
      PID:8068
  - - C:\Windows\System\jMOoSeK.exe
      C:\Windows\System\jMOoSeK.exe
      4⤵
      PID:7972
  - - C:\Windows\System\pSsUIQQ.exe
      C:\Windows\System\pSsUIQQ.exe
      4⤵
      PID:8004
  - - C:\Windows\System\uwiEuyV.exe
      C:\Windows\System\uwiEuyV.exe
      4⤵
      PID:8088
  - - C:\Windows\System\zpWjdek.exe
      C:\Windows\System\zpWjdek.exe
      4⤵
      PID:6428
  - - C:\Windows\System\vEXOvuX.exe
      C:\Windows\System\vEXOvuX.exe
      4⤵
      PID:8104
  - - C:\Windows\System\LbDAQPK.exe
      C:\Windows\System\LbDAQPK.exe
      4⤵
      PID:7328
  - - C:\Windows\System\QZjXdxC.exe
      C:\Windows\System\QZjXdxC.exe
      4⤵
      PID:3788
  - - C:\Windows\System\DrZKNFr.exe
      C:\Windows\System\DrZKNFr.exe
      4⤵
      PID:7664
  - - C:\Windows\System\KtrRppe.exe
      C:\Windows\System\KtrRppe.exe
      4⤵
      PID:7504
  - - C:\Windows\System\LNkdTaR.exe
      C:\Windows\System\LNkdTaR.exe
      4⤵
      PID:7868
  - - C:\Windows\System\bwnCzsm.exe
      C:\Windows\System\bwnCzsm.exe
      4⤵
      PID:8196
  - - C:\Windows\System\XwhLARr.exe
      C:\Windows\System\XwhLARr.exe
      4⤵
      PID:8224
  - - C:\Windows\System\bwmfWOY.exe
      C:\Windows\System\bwmfWOY.exe
      4⤵
      PID:8256
  - - C:\Windows\System\PFLjtIc.exe
      C:\Windows\System\PFLjtIc.exe
      4⤵
      PID:8300
  - - C:\Windows\System\iHRdYMI.exe
      C:\Windows\System\iHRdYMI.exe
      4⤵
      PID:8336
  - - C:\Windows\System\TERHveS.exe
      C:\Windows\System\TERHveS.exe
      4⤵
      PID:8368
  - - C:\Windows\System\nOMTOTb.exe
      C:\Windows\System\nOMTOTb.exe
      4⤵
      PID:8408
  - - C:\Windows\System\tlQymaT.exe
      C:\Windows\System\tlQymaT.exe
      4⤵
      PID:8436
  - - C:\Windows\System\nmujaWv.exe
      C:\Windows\System\nmujaWv.exe
      4⤵
      PID:8460
  - - C:\Windows\System\XjDwTiv.exe
      C:\Windows\System\XjDwTiv.exe
      4⤵
      PID:8568
  - - C:\Windows\System\rKvEelN.exe
      C:\Windows\System\rKvEelN.exe
      4⤵
      PID:8660
  - - C:\Windows\System\FWTgymc.exe
      C:\Windows\System\FWTgymc.exe
      4⤵
      PID:8712
  - - C:\Windows\System\phmnvUP.exe
      C:\Windows\System\phmnvUP.exe
      4⤵
      PID:8756
  - - C:\Windows\System\KDOoHBm.exe
      C:\Windows\System\KDOoHBm.exe
      4⤵
      PID:8788
  - - C:\Windows\System\XqgQivY.exe
      C:\Windows\System\XqgQivY.exe
      4⤵
      PID:8824
  - - C:\Windows\System\dhzuKjZ.exe
      C:\Windows\System\dhzuKjZ.exe
      4⤵
      PID:8864
  - - C:\Windows\System\ATeuHcC.exe
      C:\Windows\System\ATeuHcC.exe
      4⤵
      PID:8884
  - - C:\Windows\System\nntPHiB.exe
      C:\Windows\System\nntPHiB.exe
      4⤵
      PID:8908
  - - C:\Windows\System\yupPjxL.exe
      C:\Windows\System\yupPjxL.exe
      4⤵
      PID:8964
  - - C:\Windows\System\UeVbRsq.exe
      C:\Windows\System\UeVbRsq.exe
      4⤵
      PID:9008
  - - C:\Windows\System\hKDREAe.exe
      C:\Windows\System\hKDREAe.exe
      4⤵
      PID:9036
  - - C:\Windows\System\BGlLays.exe
      C:\Windows\System\BGlLays.exe
      4⤵
      PID:9064
  - - C:\Windows\System\DyRqjyU.exe
      C:\Windows\System\DyRqjyU.exe
      4⤵
      PID:9100
  - - C:\Windows\System\cUjxRYS.exe
      C:\Windows\System\cUjxRYS.exe
      4⤵
      PID:9172
  - - C:\Windows\System\XzpBAIP.exe
      C:\Windows\System\XzpBAIP.exe
      4⤵
      PID:5264
  - - C:\Windows\System\gWypxDl.exe
      C:\Windows\System\gWypxDl.exe
      4⤵
      PID:7536
  - - C:\Windows\System\SomMtrV.exe
      C:\Windows\System\SomMtrV.exe
      4⤵
      PID:7908
  - - C:\Windows\System\VZgDrOU.exe
      C:\Windows\System\VZgDrOU.exe
      4⤵
      PID:8220
  - - C:\Windows\System\YrGudyj.exe
      C:\Windows\System\YrGudyj.exe
      4⤵
      PID:8216
  - - C:\Windows\System\DHJBpZI.exe
      C:\Windows\System\DHJBpZI.exe
      4⤵
      PID:4596
  - - C:\Windows\System\IVLVKNg.exe
      C:\Windows\System\IVLVKNg.exe
      4⤵
      PID:5496
  - - C:\Windows\System\TlHeIaw.exe
      C:\Windows\System\TlHeIaw.exe
      4⤵
      PID:8348
  - - C:\Windows\System\nqRZqoK.exe
      C:\Windows\System\nqRZqoK.exe
      4⤵
      PID:8264
  - - C:\Windows\System\UXyNuiX.exe
      C:\Windows\System\UXyNuiX.exe
      4⤵
      PID:8356
  - - C:\Windows\System\fplflZD.exe
      C:\Windows\System\fplflZD.exe
      4⤵
      PID:8424
  - - C:\Windows\System\xgSLVaL.exe
      C:\Windows\System\xgSLVaL.exe
      4⤵
      PID:8656
  - - C:\Windows\System\wJyFtRP.exe
      C:\Windows\System\wJyFtRP.exe
      4⤵
      PID:8808
  - - C:\Windows\System\HFqWukA.exe
      C:\Windows\System\HFqWukA.exe
      4⤵
      PID:8872
  - - C:\Windows\System\bvCaYAl.exe
      C:\Windows\System\bvCaYAl.exe
      4⤵
      PID:8728
  - - C:\Windows\System\aQuZIiR.exe
      C:\Windows\System\aQuZIiR.exe
      4⤵
      PID:9060
  - - C:\Windows\System\YyrVGoY.exe
      C:\Windows\System\YyrVGoY.exe
      4⤵
      PID:8796
  - - C:\Windows\System\YpGhiRc.exe
      C:\Windows\System\YpGhiRc.exe
      4⤵
      PID:8944
  - - C:\Windows\System\lZCrCEs.exe
      C:\Windows\System\lZCrCEs.exe
      4⤵
      PID:9192
  - - C:\Windows\System\QyVUOBA.exe
      C:\Windows\System\QyVUOBA.exe
      4⤵
      PID:7980
  - - C:\Windows\System\qhDEwTE.exe
      C:\Windows\System\qhDEwTE.exe
      4⤵
      PID:9044
  - - C:\Windows\System\nINIgEN.exe
      C:\Windows\System\nINIgEN.exe
      4⤵
      PID:8332
  - - C:\Windows\System\roxNlYg.exe
      C:\Windows\System\roxNlYg.exe
      4⤵
      PID:7200
  - - C:\Windows\System\IJZstdY.exe
      C:\Windows\System\IJZstdY.exe
      4⤵
      PID:7864
  - - C:\Windows\System\ESzHpSm.exe
      C:\Windows\System\ESzHpSm.exe
      4⤵
      PID:8928
  - - C:\Windows\System\jYEdPcI.exe
      C:\Windows\System\jYEdPcI.exe
      4⤵
      PID:9056
  - - C:\Windows\System\kQcNwNT.exe
      C:\Windows\System\kQcNwNT.exe
      4⤵
      PID:8288
  - - C:\Windows\System\uMEAtsZ.exe
      C:\Windows\System\uMEAtsZ.exe
      4⤵
      PID:8920
  - - C:\Windows\System\KxILJhI.exe
      C:\Windows\System\KxILJhI.exe
      4⤵
      PID:8896
  - - C:\Windows\System\cXODQnf.exe
      C:\Windows\System\cXODQnf.exe
      4⤵
      PID:9168
  - - C:\Windows\System\qBmibfK.exe
      C:\Windows\System\qBmibfK.exe
      4⤵
      PID:8996
  - - C:\Windows\System\lNZfyFe.exe
      C:\Windows\System\lNZfyFe.exe
      4⤵
      PID:8772
  - - C:\Windows\System\cvJsbfi.exe
      C:\Windows\System\cvJsbfi.exe
      4⤵
      PID:8320
  - - C:\Windows\System\ITIwOEF.exe
      C:\Windows\System\ITIwOEF.exe
      4⤵
      PID:8576
  - - C:\Windows\System\hygOWsM.exe
      C:\Windows\System\hygOWsM.exe
      4⤵
      PID:9248
  - - C:\Windows\System\LQntdfX.exe
      C:\Windows\System\LQntdfX.exe
      4⤵
      PID:9280
  - - C:\Windows\System\nMzkcyB.exe
      C:\Windows\System\nMzkcyB.exe
      4⤵
      PID:9320
  - - C:\Windows\System\tDteltC.exe
      C:\Windows\System\tDteltC.exe
      4⤵
      PID:9352
  - - C:\Windows\System\YsrFZxN.exe
      C:\Windows\System\YsrFZxN.exe
      4⤵
      PID:9376
  - - C:\Windows\System\Fqmemot.exe
      C:\Windows\System\Fqmemot.exe
      4⤵
      PID:9436
  - - C:\Windows\System\YqmmHqY.exe
      C:\Windows\System\YqmmHqY.exe
      4⤵
      PID:9468
  - - C:\Windows\System\rkuqfXV.exe
      C:\Windows\System\rkuqfXV.exe
      4⤵
      PID:9508
  - - C:\Windows\System\jfGXqbq.exe
      C:\Windows\System\jfGXqbq.exe
      4⤵
      PID:9528
  - - C:\Windows\System\IFmDCEE.exe
      C:\Windows\System\IFmDCEE.exe
      4⤵
      PID:9568
  - - C:\Windows\System\lHolqSw.exe
      C:\Windows\System\lHolqSw.exe
      4⤵
      PID:9604
  - - C:\Windows\System\XuaihVU.exe
      C:\Windows\System\XuaihVU.exe
      4⤵
      PID:9628
  - - C:\Windows\System\wjliJYP.exe
      C:\Windows\System\wjliJYP.exe
      4⤵
      PID:9672
  - - C:\Windows\System\ToGcohI.exe
      C:\Windows\System\ToGcohI.exe
      4⤵
      PID:9736
  - - C:\Windows\System\yCcrPxJ.exe
      C:\Windows\System\yCcrPxJ.exe
      4⤵
      PID:9772
  - - C:\Windows\System\ucgZQfG.exe
      C:\Windows\System\ucgZQfG.exe
      4⤵
      PID:9812
  - - C:\Windows\System\JKVfHJK.exe
      C:\Windows\System\JKVfHJK.exe
      4⤵
      PID:9848
  - - C:\Windows\System\veEtDJM.exe
      C:\Windows\System\veEtDJM.exe
      4⤵
      PID:9876
  - - C:\Windows\System\cgUtRLL.exe
      C:\Windows\System\cgUtRLL.exe
      4⤵
      PID:9920
  - - C:\Windows\System\ADBQqmx.exe
      C:\Windows\System\ADBQqmx.exe
      4⤵
      PID:9952
  - - C:\Windows\System\XLdwznp.exe
      C:\Windows\System\XLdwznp.exe
      4⤵
      PID:9996
  - - C:\Windows\System\qICSPvF.exe
      C:\Windows\System\qICSPvF.exe
      4⤵
      PID:10024
  - - C:\Windows\System\HDlpYpH.exe
      C:\Windows\System\HDlpYpH.exe
      4⤵
      PID:10060
  - - C:\Windows\System\jBxRtTw.exe
      C:\Windows\System\jBxRtTw.exe
      4⤵
      PID:10088
  - - C:\Windows\System\AOitUpo.exe
      C:\Windows\System\AOitUpo.exe
      4⤵
      PID:10160
  - - C:\Windows\System\gqUPvFd.exe
      C:\Windows\System\gqUPvFd.exe
      4⤵
      PID:10196
  - - C:\Windows\System\iqWTGUU.exe
      C:\Windows\System\iqWTGUU.exe
      4⤵
      PID:10228
  - - C:\Windows\System\taoWOxp.exe
      C:\Windows\System\taoWOxp.exe
      4⤵
      PID:8976
  - - C:\Windows\System\JpFcZix.exe
      C:\Windows\System\JpFcZix.exe
      4⤵
      PID:9224
  - - C:\Windows\System\rKnXOWM.exe
      C:\Windows\System\rKnXOWM.exe
      4⤵
      PID:9308
  - - C:\Windows\System\tsICqXl.exe
      C:\Windows\System\tsICqXl.exe
      4⤵
      PID:9304
  - - C:\Windows\System\fXmYBSR.exe
      C:\Windows\System\fXmYBSR.exe
      4⤵
      PID:9368
  - - C:\Windows\System\JgYVSkI.exe
      C:\Windows\System\JgYVSkI.exe
      4⤵
      PID:9360
  - - C:\Windows\System\HhKauqw.exe
      C:\Windows\System\HhKauqw.exe
      4⤵
      PID:9488
  - - C:\Windows\System\KIxawAj.exe
      C:\Windows\System\KIxawAj.exe
      4⤵
      PID:9764
  - - C:\Windows\System\YUQglDq.exe
      C:\Windows\System\YUQglDq.exe
      4⤵
      PID:9592
  - - C:\Windows\System\QWBKZKV.exe
      C:\Windows\System\QWBKZKV.exe
      4⤵
      PID:9732
  - - C:\Windows\System\CsKHYfO.exe
      C:\Windows\System\CsKHYfO.exe
      4⤵
      PID:9620
  - - C:\Windows\System\WfWmgOs.exe
      C:\Windows\System\WfWmgOs.exe
      4⤵
      PID:9660
  - - C:\Windows\System\rgDMlTy.exe
      C:\Windows\System\rgDMlTy.exe
      4⤵
      PID:9704
  - - C:\Windows\System\xRJqcYp.exe
      C:\Windows\System\xRJqcYp.exe
      4⤵
      PID:10132
  - - C:\Windows\System\tstLits.exe
      C:\Windows\System\tstLits.exe
      4⤵
      PID:10168
  - - C:\Windows\System\TcOGVzp.exe
      C:\Windows\System\TcOGVzp.exe
      4⤵
      PID:9860
  - - C:\Windows\System\EBYfezE.exe
      C:\Windows\System\EBYfezE.exe
      4⤵
      PID:9940
  - - C:\Windows\System\gNrJTXe.exe
      C:\Windows\System\gNrJTXe.exe
      4⤵
      PID:9396
  - - C:\Windows\System\nsHaSGa.exe
      C:\Windows\System\nsHaSGa.exe
      4⤵
      PID:8776
  - - C:\Windows\System\uIRxzmc.exe
      C:\Windows\System\uIRxzmc.exe
      4⤵
      PID:9692
  - - C:\Windows\System\ldWsaDT.exe
      C:\Windows\System\ldWsaDT.exe
      4⤵
      PID:9836
  - - C:\Windows\System\jEFrtQn.exe
      C:\Windows\System\jEFrtQn.exe
      4⤵
      PID:9500
  - - C:\Windows\System\QdHLuFb.exe
      C:\Windows\System\QdHLuFb.exe
      4⤵
      PID:9912
  - - C:\Windows\System\gYlQdEA.exe
      C:\Windows\System\gYlQdEA.exe
      4⤵
      PID:9868
  - - C:\Windows\System\wsiTHaR.exe
      C:\Windows\System\wsiTHaR.exe
      4⤵
      PID:9300
  - - C:\Windows\System\RAkOoUg.exe
      C:\Windows\System\RAkOoUg.exe
      4⤵
      PID:10264
  - - C:\Windows\System\peWpUVK.exe
      C:\Windows\System\peWpUVK.exe
      4⤵
      PID:10328
  - - C:\Windows\System\FZENwLe.exe
      C:\Windows\System\FZENwLe.exe
      4⤵
      PID:10360
  - - C:\Windows\System\rGRzprU.exe
      C:\Windows\System\rGRzprU.exe
      4⤵
      PID:10384
  - - C:\Windows\System\ZxUOEdk.exe
      C:\Windows\System\ZxUOEdk.exe
      4⤵
      PID:10448
  - - C:\Windows\System\VgPxcTS.exe
      C:\Windows\System\VgPxcTS.exe
      4⤵
      PID:10480
  - - C:\Windows\System\DwUBQMf.exe
      C:\Windows\System\DwUBQMf.exe
      4⤵
      PID:10516
  - - C:\Windows\System\IFyjdof.exe
      C:\Windows\System\IFyjdof.exe
      4⤵
      PID:10540
  - - C:\Windows\System\UpyMOVB.exe
      C:\Windows\System\UpyMOVB.exe
      4⤵
      PID:10564
  - - C:\Windows\System\qAksnck.exe
      C:\Windows\System\qAksnck.exe
      4⤵
      PID:10584
  - - C:\Windows\System\tVspedY.exe
      C:\Windows\System\tVspedY.exe
      4⤵
      PID:10604
  - - C:\Windows\System\JoyFFDh.exe
      C:\Windows\System\JoyFFDh.exe
      4⤵
      PID:10652
  - - C:\Windows\System\ZdawVZZ.exe
      C:\Windows\System\ZdawVZZ.exe
      4⤵
      PID:10684
  - - C:\Windows\System\PMIuLHC.exe
      C:\Windows\System\PMIuLHC.exe
      4⤵
      PID:10708
  - - C:\Windows\System\IpBrikR.exe
      C:\Windows\System\IpBrikR.exe
      4⤵
      PID:10732
  - - C:\Windows\System\UYuEpRN.exe
      C:\Windows\System\UYuEpRN.exe
      4⤵
      PID:10768
  - - C:\Windows\System\mNQYTqJ.exe
      C:\Windows\System\mNQYTqJ.exe
      4⤵
      PID:10816
  - - C:\Windows\System\gPCQskx.exe
      C:\Windows\System\gPCQskx.exe
      4⤵
      PID:10844
  - - C:\Windows\System\hSGNglh.exe
      C:\Windows\System\hSGNglh.exe
      4⤵
      PID:10872
  - - C:\Windows\System\pjwJneh.exe
      C:\Windows\System\pjwJneh.exe
      4⤵
      PID:10896
  - - C:\Windows\System\HMloxYQ.exe
      C:\Windows\System\HMloxYQ.exe
      4⤵
      PID:10948
  - - C:\Windows\System\cHwfYxj.exe
      C:\Windows\System\cHwfYxj.exe
      4⤵
      PID:10988
  - - C:\Windows\System\KAKfvoH.exe
      C:\Windows\System\KAKfvoH.exe
      4⤵
      PID:11024
  - - C:\Windows\System\NnRrmwp.exe
      C:\Windows\System\NnRrmwp.exe
      4⤵
      PID:11048
  - - C:\Windows\System\pOSktxp.exe
      C:\Windows\System\pOSktxp.exe
      4⤵
      PID:11072
  - - C:\Windows\System\ixeXyqp.exe
      C:\Windows\System\ixeXyqp.exe
      4⤵
      PID:11128
  - - C:\Windows\System\sxeOMdN.exe
      C:\Windows\System\sxeOMdN.exe
      4⤵
      PID:11168
  - - C:\Windows\System\YjuePBU.exe
      C:\Windows\System\YjuePBU.exe
      4⤵
      PID:11208
  - - C:\Windows\System\DXFgoNP.exe
      C:\Windows\System\DXFgoNP.exe
      4⤵
      PID:11232
  - - C:\Windows\System\kFcdKty.exe
      C:\Windows\System\kFcdKty.exe
      4⤵
      PID:11248
  - - C:\Windows\System\hoRdCio.exe
      C:\Windows\System\hoRdCio.exe
      4⤵
      PID:9644
  - - C:\Windows\System\LbZaNVt.exe
      C:\Windows\System\LbZaNVt.exe
      4⤵
      PID:9264
  - - C:\Windows\System\DSqndbp.exe
      C:\Windows\System\DSqndbp.exe
      4⤵
      PID:9728
  - - C:\Windows\System\xXUwjaB.exe
      C:\Windows\System\xXUwjaB.exe
      4⤵
      PID:10104
  - - C:\Windows\System\JmVZxSB.exe
      C:\Windows\System\JmVZxSB.exe
      4⤵
      PID:10120
  - - C:\Windows\System\DdqvYwl.exe
      C:\Windows\System\DdqvYwl.exe
      4⤵
      PID:10496
  - - C:\Windows\System\zEhhUPO.exe
      C:\Windows\System\zEhhUPO.exe
      4⤵
      PID:10396
  - - C:\Windows\System\rnMQaqr.exe
      C:\Windows\System\rnMQaqr.exe
      4⤵
      PID:10260
  - - C:\Windows\System\PDfaXFi.exe
      C:\Windows\System\PDfaXFi.exe
      4⤵
      PID:10628
  - - C:\Windows\System\OlJqxOL.exe
      C:\Windows\System\OlJqxOL.exe
      4⤵
      PID:10512
  - - C:\Windows\System\yixpMyZ.exe
      C:\Windows\System\yixpMyZ.exe
      4⤵
      PID:10612
  - - C:\Windows\System\ruRfzjb.exe
      C:\Windows\System\ruRfzjb.exe
      4⤵
      PID:10744
  - - C:\Windows\System\imnCVzt.exe
      C:\Windows\System\imnCVzt.exe
      4⤵
      PID:11040
  - - C:\Windows\System\FwquWhc.exe
      C:\Windows\System\FwquWhc.exe
      4⤵
      PID:10908
  - - C:\Windows\System\VqIfDtv.exe
      C:\Windows\System\VqIfDtv.exe
      4⤵
      PID:10832
  - - C:\Windows\System\QlhcjHq.exe
      C:\Windows\System\QlhcjHq.exe
      4⤵
      PID:11152
  - - C:\Windows\System\NIKMiIe.exe
      C:\Windows\System\NIKMiIe.exe
      4⤵
      PID:11240
  - - C:\Windows\System\JZYMBDV.exe
      C:\Windows\System\JZYMBDV.exe
      4⤵
      PID:10716
  - - C:\Windows\System\XLEbGbZ.exe
      C:\Windows\System\XLEbGbZ.exe
      4⤵
      PID:11008
  - - C:\Windows\System\VgzuUKE.exe
      C:\Windows\System\VgzuUKE.exe
      4⤵
      PID:10140
  - - C:\Windows\System\ICkfwRn.exe
      C:\Windows\System\ICkfwRn.exe
      4⤵
      PID:10536
  - - C:\Windows\System\ZEEKaYT.exe
      C:\Windows\System\ZEEKaYT.exe
      4⤵
      PID:10420
  - - C:\Windows\System\EpLWnyr.exe
      C:\Windows\System\EpLWnyr.exe
      4⤵
      PID:10472
  - - C:\Windows\System\tgnaVIY.exe
      C:\Windows\System\tgnaVIY.exe
      4⤵
      PID:10752
  - - C:\Windows\System\gfMNgcH.exe
      C:\Windows\System\gfMNgcH.exe
      4⤵
      PID:10336
  - - C:\Windows\System\KpAcdoD.exe
      C:\Windows\System\KpAcdoD.exe
      4⤵
      PID:10804
  - - C:\Windows\System\AOQXXLi.exe
      C:\Windows\System\AOQXXLi.exe
      4⤵
      PID:8444
  - - C:\Windows\System\dYqAYxc.exe
      C:\Windows\System\dYqAYxc.exe
      4⤵
      PID:11300
  - - C:\Windows\System\QVEkuoB.exe
      C:\Windows\System\QVEkuoB.exe
      4⤵
      PID:11336
  - - C:\Windows\System\RsiGHKc.exe
      C:\Windows\System\RsiGHKc.exe
      4⤵
      PID:11356
  - - C:\Windows\System\SwaoPzC.exe
      C:\Windows\System\SwaoPzC.exe
      4⤵
      PID:11404
  - - C:\Windows\System\XPeNbhY.exe
      C:\Windows\System\XPeNbhY.exe
      4⤵
      PID:11444
  - - C:\Windows\System\HwJnOEd.exe
      C:\Windows\System\HwJnOEd.exe
      4⤵
      PID:11472
  - - C:\Windows\System\qUlMJqV.exe
      C:\Windows\System\qUlMJqV.exe
      4⤵
      PID:11508
  - - C:\Windows\System\ZrPXxYa.exe
      C:\Windows\System\ZrPXxYa.exe
      4⤵
      PID:11544
  - - C:\Windows\System\MIlLZzB.exe
      C:\Windows\System\MIlLZzB.exe
      4⤵
      PID:11580
  - - C:\Windows\System\cTSmvNo.exe
      C:\Windows\System\cTSmvNo.exe
      4⤵
      PID:11612
  - - C:\Windows\System\qINUlWL.exe
      C:\Windows\System\qINUlWL.exe
      4⤵
      PID:11652
  - - C:\Windows\System\CzKhzxt.exe
      C:\Windows\System\CzKhzxt.exe
      4⤵
      PID:11684
  - - C:\Windows\System\sfOpHmF.exe
      C:\Windows\System\sfOpHmF.exe
      4⤵
      PID:11728
  - - C:\Windows\System\JvCBvNT.exe
      C:\Windows\System\JvCBvNT.exe
      4⤵
      PID:11752
  - - C:\Windows\System\BXUsWRO.exe
      C:\Windows\System\BXUsWRO.exe
      4⤵
      PID:11788
  - - C:\Windows\System\dEihqPu.exe
      C:\Windows\System\dEihqPu.exe
      4⤵
      PID:11808
  - - C:\Windows\System\QsCjvjz.exe
      C:\Windows\System\QsCjvjz.exe
      4⤵
      PID:11860
  - - C:\Windows\System\qJPRuPB.exe
      C:\Windows\System\qJPRuPB.exe
      4⤵
      PID:11932
  - - C:\Windows\System\ZzsZoDO.exe
      C:\Windows\System\ZzsZoDO.exe
      4⤵
      PID:11956
  - - C:\Windows\System\RpLfrEO.exe
      C:\Windows\System\RpLfrEO.exe
      4⤵
      PID:12008
  - - C:\Windows\System\FDQWaEH.exe
      C:\Windows\System\FDQWaEH.exe
      4⤵
      PID:12052
  - - C:\Windows\System\lqtcbBM.exe
      C:\Windows\System\lqtcbBM.exe
      4⤵
      PID:12092
  - - C:\Windows\System\cCyTcqY.exe
      C:\Windows\System\cCyTcqY.exe
      4⤵
      PID:12124
  - - C:\Windows\System\GkZvdQY.exe
      C:\Windows\System\GkZvdQY.exe
      4⤵
      PID:12148
  - - C:\Windows\System\YBYLRna.exe
      C:\Windows\System\YBYLRna.exe
      4⤵
      PID:12172
  - - C:\Windows\System\UMttHkD.exe
      C:\Windows\System\UMttHkD.exe
      4⤵
      PID:12208
  - - C:\Windows\System\LIFoEJf.exe
      C:\Windows\System\LIFoEJf.exe
      4⤵
      PID:12260
  - - C:\Windows\System\NpKkbXe.exe
      C:\Windows\System\NpKkbXe.exe
      4⤵
      PID:11112
  - - C:\Windows\System\sXSqHuz.exe
      C:\Windows\System\sXSqHuz.exe
      4⤵
      PID:10408
  - - C:\Windows\System\DVFrUvX.exe
      C:\Windows\System\DVFrUvX.exe
      4⤵
      PID:11312
  - - C:\Windows\System\bqOKHID.exe
      C:\Windows\System\bqOKHID.exe
      4⤵
      PID:10116
  - - C:\Windows\System\ZgLfGsZ.exe
      C:\Windows\System\ZgLfGsZ.exe
      4⤵
      PID:8396
  - - C:\Windows\System\zqfMnSC.exe
      C:\Windows\System\zqfMnSC.exe
      4⤵
      PID:11352
  - - C:\Windows\System\hjNJDFY.exe
      C:\Windows\System\hjNJDFY.exe
      4⤵
      PID:10888
  - - C:\Windows\System\iWFaLAg.exe
      C:\Windows\System\iWFaLAg.exe
      4⤵
      PID:11568
  - - C:\Windows\System\jJcvwDo.exe
      C:\Windows\System\jJcvwDo.exe
      4⤵
      PID:11636
  - - C:\Windows\System\IqBSdht.exe
      C:\Windows\System\IqBSdht.exe
      4⤵
      PID:11456
  - - C:\Windows\System\jYEaGnw.exe
      C:\Windows\System\jYEaGnw.exe
      4⤵
      PID:11524
  - - C:\Windows\System\cgvuOiR.exe
      C:\Windows\System\cgvuOiR.exe
      4⤵
      PID:11772
  - - C:\Windows\System\JBLSUHS.exe
      C:\Windows\System\JBLSUHS.exe
      4⤵
      PID:11820
  - - C:\Windows\System\sAEHOfq.exe
      C:\Windows\System\sAEHOfq.exe
      4⤵
      PID:11672
  - - C:\Windows\System\HTsYXEu.exe
      C:\Windows\System\HTsYXEu.exe
      4⤵
      PID:11804
  - - C:\Windows\System\tLesMth.exe
      C:\Windows\System\tLesMth.exe
      4⤵
      PID:12196
  - - C:\Windows\System\uSHCfHv.exe
      C:\Windows\System\uSHCfHv.exe
      4⤵
      PID:11888
  - - C:\Windows\System\VsHcbzr.exe
      C:\Windows\System\VsHcbzr.exe
      4⤵
      PID:12084
  - - C:\Windows\System\GgJjoys.exe
      C:\Windows\System\GgJjoys.exe
      4⤵
      PID:10968
  - - C:\Windows\System\wunYvNR.exe
      C:\Windows\System\wunYvNR.exe
      4⤵
      PID:11432
  - - C:\Windows\System\zCJalCv.exe
      C:\Windows\System\zCJalCv.exe
      4⤵
      PID:10252
  - - C:\Windows\System\LWZNLnF.exe
      C:\Windows\System\LWZNLnF.exe
      4⤵
      PID:6976
  - - C:\Windows\System\ykqhpoX.exe
      C:\Windows\System\ykqhpoX.exe
      4⤵
      PID:11180
  - - C:\Windows\System\PKWZIpo.exe
      C:\Windows\System\PKWZIpo.exe
      4⤵
      PID:12120
  - - C:\Windows\System\SDpXWDe.exe
      C:\Windows\System\SDpXWDe.exe
      4⤵
      PID:12076
  - - C:\Windows\System\YvLvYgi.exe
      C:\Windows\System\YvLvYgi.exe
      4⤵
      PID:12304
  - - C:\Windows\System\ViZTHWC.exe
      C:\Windows\System\ViZTHWC.exe
      4⤵
      PID:12344
  - - C:\Windows\System\cjHmTeE.exe
      C:\Windows\System\cjHmTeE.exe
      4⤵
      PID:12364
  - - C:\Windows\System\BJzcfVT.exe
      C:\Windows\System\BJzcfVT.exe
      4⤵
      PID:12432
  - - C:\Windows\System\ukyTrkX.exe
      C:\Windows\System\ukyTrkX.exe
      4⤵
      PID:12480
  - - C:\Windows\System\RUpUZMF.exe
      C:\Windows\System\RUpUZMF.exe
      4⤵
      PID:12516
  - - C:\Windows\System\fempriO.exe
      C:\Windows\System\fempriO.exe
      4⤵
      PID:12540
  - - C:\Windows\System\YqaUEel.exe
      C:\Windows\System\YqaUEel.exe
      4⤵
      PID:12564
  - - C:\Windows\System\ESCFRcV.exe
      C:\Windows\System\ESCFRcV.exe
      4⤵
      PID:12624
  - - C:\Windows\System\yvAhiLR.exe
      C:\Windows\System\yvAhiLR.exe
      4⤵
      PID:12656
  - - C:\Windows\System\ZSfEnEb.exe
      C:\Windows\System\ZSfEnEb.exe
      4⤵
      PID:12688
  - - C:\Windows\System\LlRJRQf.exe
      C:\Windows\System\LlRJRQf.exe
      4⤵
      PID:12716
  - - C:\Windows\System\wVGcYqV.exe
      C:\Windows\System\wVGcYqV.exe
      4⤵
      PID:12744
  - - C:\Windows\System\JMCyJOF.exe
      C:\Windows\System\JMCyJOF.exe
      4⤵
      PID:12800
  - - C:\Windows\System\EhmUWFX.exe
      C:\Windows\System\EhmUWFX.exe
      4⤵
      PID:12844
  - - C:\Windows\System\PUukNBx.exe
      C:\Windows\System\PUukNBx.exe
      4⤵
      PID:12872
  - - C:\Windows\System\NItHBlO.exe
      C:\Windows\System\NItHBlO.exe
      4⤵
      PID:12892
  - - C:\Windows\System\AZDaSee.exe
      C:\Windows\System\AZDaSee.exe
      4⤵
      PID:12932
  - - C:\Windows\System\NtunKhR.exe
      C:\Windows\System\NtunKhR.exe
      4⤵
      PID:12972
  - - C:\Windows\System\FYaIWlz.exe
      C:\Windows\System\FYaIWlz.exe
      4⤵
      PID:13032
  - - C:\Windows\System\UvavCLP.exe
      C:\Windows\System\UvavCLP.exe
      4⤵
      PID:13052
  - - C:\Windows\System\XcHnBoM.exe
      C:\Windows\System\XcHnBoM.exe
      4⤵
      PID:13092
  - - C:\Windows\System\cQRqaGk.exe
      C:\Windows\System\cQRqaGk.exe
      4⤵
      PID:13116
  - - C:\Windows\System\cpvFynL.exe
      C:\Windows\System\cpvFynL.exe
      4⤵
      PID:13164
  - - C:\Windows\System\hNChcqC.exe
      C:\Windows\System\hNChcqC.exe
      4⤵
      PID:13204
  - - C:\Windows\System\UnmbRFf.exe
      C:\Windows\System\UnmbRFf.exe
      4⤵
      PID:13240
  - - C:\Windows\System\YeUfyQe.exe
      C:\Windows\System\YeUfyQe.exe
      4⤵
      PID:13268
  - - C:\Windows\System\hlveSCx.exe
      C:\Windows\System\hlveSCx.exe
      4⤵
      PID:13304
  - - C:\Windows\System\sktEerV.exe
      C:\Windows\System\sktEerV.exe
      4⤵
      PID:11940
  - - C:\Windows\System\tbTMfic.exe
      C:\Windows\System\tbTMfic.exe
      4⤵
      PID:6660
  - - C:\Windows\System\vpmVtvW.exe
      C:\Windows\System\vpmVtvW.exe
      4⤵
      PID:12356
  - - C:\Windows\System\LNaIIKL.exe
      C:\Windows\System\LNaIIKL.exe
      4⤵
      PID:12448
  - - C:\Windows\System\LQxOiOr.exe
      C:\Windows\System\LQxOiOr.exe
      4⤵
      PID:12292
  - - C:\Windows\System\UcbWYxc.exe
      C:\Windows\System\UcbWYxc.exe
      4⤵
      PID:12532
  - - C:\Windows\System\KowMyXz.exe
      C:\Windows\System\KowMyXz.exe
      4⤵
      PID:12584
  - - C:\Windows\System\WiKeNGN.exe
      C:\Windows\System\WiKeNGN.exe
      4⤵
      PID:12640
  - - C:\Windows\System\mEtFtYm.exe
      C:\Windows\System\mEtFtYm.exe
      4⤵
      PID:12784
  - - C:\Windows\System\fWlnybU.exe
      C:\Windows\System\fWlnybU.exe
      4⤵
      PID:12796
  - - C:\Windows\System\cLmCaZn.exe
      C:\Windows\System\cLmCaZn.exe
      4⤵
      PID:12680
  - - C:\Windows\System\XydEAoF.exe
      C:\Windows\System\XydEAoF.exe
      4⤵
      PID:12772
  - - C:\Windows\System\WDZJDUh.exe
      C:\Windows\System\WDZJDUh.exe
      4⤵
      PID:12888
  - - C:\Windows\System\xXqoMOf.exe
      C:\Windows\System\xXqoMOf.exe
      4⤵
      PID:13152
  - - C:\Windows\System\nViiOUp.exe
      C:\Windows\System\nViiOUp.exe
      4⤵
      PID:13128
  - - C:\Windows\System\AVMgkHn.exe
      C:\Windows\System\AVMgkHn.exe
      4⤵
      PID:13224
  - - C:\Windows\System\JnHHjos.exe
      C:\Windows\System\JnHHjos.exe
      4⤵
      PID:13160
  - - C:\Windows\System\mnHbISg.exe
      C:\Windows\System\mnHbISg.exe
      4⤵
      PID:13200
  - - C:\Windows\System\KGrOYLr.exe
      C:\Windows\System\KGrOYLr.exe
      4⤵
      PID:12416
  - - C:\Windows\System\wHkDHIJ.exe
      C:\Windows\System\wHkDHIJ.exe
      4⤵
      PID:12496
  - - C:\Windows\System\omaiGGv.exe
      C:\Windows\System\omaiGGv.exe
      4⤵
      PID:12924
  - - C:\Windows\System\yFptpCt.exe
      C:\Windows\System\yFptpCt.exe
      4⤵
      PID:12192
  - - C:\Windows\System\aZfXrWJ.exe
      C:\Windows\System\aZfXrWJ.exe
      4⤵
      PID:11928
  - - C:\Windows\System\vlgMEBR.exe
      C:\Windows\System\vlgMEBR.exe
      4⤵
      PID:12696
  - - C:\Windows\System\thWAkfy.exe
      C:\Windows\System\thWAkfy.exe
      4⤵
      PID:12824
  - - C:\Windows\System\XLQqnvt.exe
      C:\Windows\System\XLQqnvt.exe
      4⤵
      PID:12676
  - - C:\Windows\System\fhTJSjX.exe
      C:\Windows\System\fhTJSjX.exe
      4⤵
      PID:13176
  - - C:\Windows\System\DVCtdHV.exe
      C:\Windows\System\DVCtdHV.exe
      4⤵
      PID:13196
  - - C:\Windows\System\uTXsIZN.exe
      C:\Windows\System\uTXsIZN.exe
      4⤵
      PID:13328
  - - C:\Windows\System\dLiOfxC.exe
      C:\Windows\System\dLiOfxC.exe
      4⤵
      PID:13348
  - - C:\Windows\System\vPkEpDG.exe
      C:\Windows\System\vPkEpDG.exe
      4⤵
      PID:13372
  - - C:\Windows\System\rACHGrf.exe
      C:\Windows\System\rACHGrf.exe
      4⤵
      PID:13396
  - - C:\Windows\System\Nbwkplv.exe
      C:\Windows\System\Nbwkplv.exe
      4⤵
      PID:13428
  - - C:\Windows\System\VAhRHBT.exe
      C:\Windows\System\VAhRHBT.exe
      4⤵
      PID:13464
  - - C:\Windows\System\nwaWcdT.exe
      C:\Windows\System\nwaWcdT.exe
      4⤵
      PID:13524
  - - C:\Windows\System\EWxldpx.exe
      C:\Windows\System\EWxldpx.exe
      4⤵
      PID:13540
  - - C:\Windows\System\HDClfiJ.exe
      C:\Windows\System\HDClfiJ.exe
      4⤵
      PID:13604
  - - C:\Windows\System\ewnkzTq.exe
      C:\Windows\System\ewnkzTq.exe
      4⤵
      PID:13636
  - - C:\Windows\System\EtcSlAX.exe
      C:\Windows\System\EtcSlAX.exe
      4⤵
      PID:13668
  - - C:\Windows\System\qHOptXb.exe
      C:\Windows\System\qHOptXb.exe
      4⤵
      PID:13720
  - - C:\Windows\System\gRwdhNV.exe
      C:\Windows\System\gRwdhNV.exe
      4⤵
      PID:13756
  - - C:\Windows\System\qxzNGUU.exe
      C:\Windows\System\qxzNGUU.exe
      4⤵
      PID:14020
  - - C:\Windows\System\bjLzycz.exe
      C:\Windows\System\bjLzycz.exe
      4⤵
      PID:14060
  - - C:\Windows\System\KkoMlps.exe
      C:\Windows\System\KkoMlps.exe
      4⤵
      PID:14104
  - - C:\Windows\System\yOgMVwc.exe
      C:\Windows\System\yOgMVwc.exe
      4⤵
      PID:14144
  - - C:\Windows\System\pTnDMVL.exe
      C:\Windows\System\pTnDMVL.exe
      4⤵
      PID:14172
  - - C:\Windows\System\mvHRADP.exe
      C:\Windows\System\mvHRADP.exe
      4⤵
      PID:14200
  - - C:\Windows\System\uTzXoJS.exe
      C:\Windows\System\uTzXoJS.exe
      4⤵
      PID:14252
  - - C:\Windows\System\AzlaYNG.exe
      C:\Windows\System\AzlaYNG.exe
      4⤵
      PID:14276
  - - C:\Windows\System\hZghCWO.exe
      C:\Windows\System\hZghCWO.exe
      4⤵
      PID:14312
  - - C:\Windows\System\uNyCNEQ.exe
      C:\Windows\System\uNyCNEQ.exe
      4⤵
      PID:13048
  - - C:\Windows\System\EorFBlA.exe
      C:\Windows\System\EorFBlA.exe
      4⤵
      PID:12456
  - - C:\Windows\System\CPktsub.exe
      C:\Windows\System\CPktsub.exe
      4⤵
      PID:12868
  - - C:\Windows\System\BOnMZjr.exe
      C:\Windows\System\BOnMZjr.exe
      4⤵
      PID:13452
  - - C:\Windows\System\BTebmmN.exe
      C:\Windows\System\BTebmmN.exe
      4⤵
      PID:13480
  - - C:\Windows\System\NQJYZvt.exe
      C:\Windows\System\NQJYZvt.exe
      4⤵
      PID:13020
  - - C:\Windows\System\hSJFqHm.exe
      C:\Windows\System\hSJFqHm.exe
      4⤵
      PID:13412
  - - C:\Windows\System\VPxPnre.exe
      C:\Windows\System\VPxPnre.exe
      4⤵
      PID:13588
  - - C:\Windows\System\maumoCO.exe
      C:\Windows\System\maumoCO.exe
      4⤵
      PID:13340
  - - C:\Windows\System\wgdXTHY.exe
      C:\Windows\System\wgdXTHY.exe
      4⤵
      PID:8636
  - - C:\Windows\System\OZuoiuU.exe
      C:\Windows\System\OZuoiuU.exe
      4⤵
      PID:13696
  - - C:\Windows\System\VzkHaHH.exe
      C:\Windows\System\VzkHaHH.exe
      4⤵
      PID:13660
  - - C:\Windows\System\YqWXRhO.exe
      C:\Windows\System\YqWXRhO.exe
      4⤵
      PID:13868
  - - C:\Windows\System\YcLGkeG.exe
      C:\Windows\System\YcLGkeG.exe
      4⤵
      PID:14120
  - - C:\Windows\System\YBOKsjj.exe
      C:\Windows\System\YBOKsjj.exe
      4⤵
      PID:14220
  - - C:\Windows\System\oNyHJxy.exe
      C:\Windows\System\oNyHJxy.exe
      4⤵
      PID:14068
  - - C:\Windows\System\lKcBnAA.exe
      C:\Windows\System\lKcBnAA.exe
      4⤵
      PID:14192
  - - C:\Windows\System\mirWVLM.exe
      C:\Windows\System\mirWVLM.exe
      4⤵
      PID:13404
  - - C:\Windows\System\IAauwpU.exe
      C:\Windows\System\IAauwpU.exe
      4⤵
      PID:13676
  - - C:\Windows\System\gaIKkkQ.exe
      C:\Windows\System\gaIKkkQ.exe
      4⤵
      PID:13496
  - - C:\Windows\System\krwuvee.exe
      C:\Windows\System\krwuvee.exe
      4⤵
      PID:12900
  - - C:\Windows\System\pLbUmZY.exe
      C:\Windows\System\pLbUmZY.exe
      4⤵
      PID:13644
  - - C:\Windows\System\EbnIhwX.exe
      C:\Windows\System\EbnIhwX.exe
      4⤵
      PID:13912
  - - C:\Windows\System\VekuCbK.exe
      C:\Windows\System\VekuCbK.exe
      4⤵
      PID:14032
  - - C:\Windows\System\UCsIWKy.exe
      C:\Windows\System\UCsIWKy.exe
      4⤵
      PID:14292
  - - C:\Windows\System\fcuboRX.exe
      C:\Windows\System\fcuboRX.exe
      4⤵
      PID:13680
  - - C:\Windows\System\bNczoLK.exe
      C:\Windows\System\bNczoLK.exe
      4⤵
      PID:11288
  - - C:\Windows\System\RSGfarH.exe
      C:\Windows\System\RSGfarH.exe
      4⤵
      PID:14368
  - - C:\Windows\System\YgLYlaT.exe
      C:\Windows\System\YgLYlaT.exe
      4⤵
      PID:14396
  - - C:\Windows\System\SFpqwXg.exe
      C:\Windows\System\SFpqwXg.exe
      4⤵
      PID:14432
  - - C:\Windows\System\PBhAmJF.exe
      C:\Windows\System\PBhAmJF.exe
      4⤵
      PID:14496
  - - C:\Windows\System\pqVaxAj.exe
      C:\Windows\System\pqVaxAj.exe
      4⤵
      PID:14520
  - - C:\Windows\System\qSFJmgr.exe
      C:\Windows\System\qSFJmgr.exe
      4⤵
      PID:14564
  - - C:\Windows\System\qazRtfn.exe
      C:\Windows\System\qazRtfn.exe
      4⤵
      PID:14588
  - - C:\Windows\System\DAfBTnf.exe
      C:\Windows\System\DAfBTnf.exe
      4⤵
      PID:14636
  - - C:\Windows\System\CvgJUYa.exe
      C:\Windows\System\CvgJUYa.exe
      4⤵
      PID:14676
  - - C:\Windows\System\czWeTJd.exe
      C:\Windows\System\czWeTJd.exe
      4⤵
      PID:14700
  - - C:\Windows\System\rtNvRzT.exe
      C:\Windows\System\rtNvRzT.exe
      4⤵
      PID:14752
  - - C:\Windows\System\mOSimen.exe
      C:\Windows\System\mOSimen.exe
      4⤵
      PID:14784
  - - C:\Windows\System\fGvZYDn.exe
      C:\Windows\System\fGvZYDn.exe
      4⤵
      PID:14824
  - - C:\Windows\System\IxLeAeX.exe
      C:\Windows\System\IxLeAeX.exe
      4⤵
      PID:14872
  - - C:\Windows\System\BoYSCNG.exe
      C:\Windows\System\BoYSCNG.exe
      4⤵
      PID:14896
  - - C:\Windows\System\SYDzrgt.exe
      C:\Windows\System\SYDzrgt.exe
      4⤵
      PID:14956
  - - C:\Windows\System\yhVuWTo.exe
      C:\Windows\System\yhVuWTo.exe
      4⤵
      PID:14984
  - - C:\Windows\System\rdPVdco.exe
      C:\Windows\System\rdPVdco.exe
      4⤵
      PID:15024
  - - C:\Windows\System\uhiTVdB.exe
      C:\Windows\System\uhiTVdB.exe
      4⤵
      PID:15080
  - - C:\Windows\System\QEkFDJu.exe
      C:\Windows\System\QEkFDJu.exe
      4⤵
      PID:15108
  - - C:\Windows\System\vCVkJPV.exe
      C:\Windows\System\vCVkJPV.exe
      4⤵
      PID:15148
  - - C:\Windows\System\OsjsgLk.exe
      C:\Windows\System\OsjsgLk.exe
      4⤵
      PID:15196
  - - C:\Windows\System\ENQwfth.exe
      C:\Windows\System\ENQwfth.exe
      4⤵
      PID:15228
  - - C:\Windows\System\muNOvFh.exe
      C:\Windows\System\muNOvFh.exe
      4⤵
      PID:15288
  - - C:\Windows\System\QybbajO.exe
      C:\Windows\System\QybbajO.exe
      4⤵
      PID:15328
  - - C:\Windows\System\BAvvJNP.exe
      C:\Windows\System\BAvvJNP.exe
      4⤵
      PID:15348
  - - C:\Windows\System\jPxRIeZ.exe
      C:\Windows\System\jPxRIeZ.exe
      4⤵
      PID:13716
  - - C:\Windows\System\rzPFmcw.exe
      C:\Windows\System\rzPFmcw.exe
      4⤵
      PID:14504
  - - C:\Windows\System\BwBRdVu.exe
      C:\Windows\System\BwBRdVu.exe
      4⤵
      PID:14452
  - - C:\Windows\System\PjJEWrn.exe
      C:\Windows\System\PjJEWrn.exe
      4⤵
      PID:14660
  - - C:\Windows\System\kjMhVzX.exe
      C:\Windows\System\kjMhVzX.exe
      4⤵
      PID:14736
  - - C:\Windows\System\riDqDNq.exe
      C:\Windows\System\riDqDNq.exe
      4⤵
      PID:14804
  - - C:\Windows\System\JETvERV.exe
      C:\Windows\System\JETvERV.exe
      4⤵
      PID:14972
  - - C:\Windows\System\TdWUllr.exe
      C:\Windows\System\TdWUllr.exe
      4⤵
      PID:15016
  - - C:\Windows\System\DgwkEfY.exe
      C:\Windows\System\DgwkEfY.exe
      4⤵
      PID:15168
  - - C:\Windows\System\aCLJyEM.exe
      C:\Windows\System\aCLJyEM.exe
      4⤵
      PID:15096
  - - C:\Windows\System\EefqgNS.exe
      C:\Windows\System\EefqgNS.exe
      4⤵
      PID:15140
  - - C:\Windows\System\PMvzOdI.exe
      C:\Windows\System\PMvzOdI.exe
      4⤵
      PID:13552
  - - C:\Windows\System\HqzvFfI.exe
      C:\Windows\System\HqzvFfI.exe
      4⤵
      PID:15256
  - - C:\Windows\System\aRLrsIL.exe
      C:\Windows\System\aRLrsIL.exe
      4⤵
      PID:15316
  - - C:\Windows\System\QgZffPM.exe
      C:\Windows\System\QgZffPM.exe
      4⤵
      PID:13748
  - - C:\Windows\System\nZIMCWh.exe
      C:\Windows\System\nZIMCWh.exe
      4⤵
      PID:14392
  - - C:\Windows\System\TDgsspe.exe
      C:\Windows\System\TDgsspe.exe
      4⤵
      PID:14732
  - - C:\Windows\System\YNGIAUl.exe
      C:\Windows\System\YNGIAUl.exe
      4⤵
      PID:14924
  - - C:\Windows\System\TJDjOfb.exe
      C:\Windows\System\TJDjOfb.exe
      4⤵
      PID:14992
  - - C:\Windows\System\aEPDXkr.exe
      C:\Windows\System\aEPDXkr.exe
      4⤵
      PID:14964
  - - C:\Windows\System\QgGDEPq.exe
      C:\Windows\System\QgGDEPq.exe
      4⤵
      PID:15280
  - - C:\Windows\System\mkZftfa.exe
      C:\Windows\System\mkZftfa.exe
      4⤵
      PID:14340
  - - C:\Windows\System\yJAImQo.exe
      C:\Windows\System\yJAImQo.exe
      4⤵
      PID:14624
  - - C:\Windows\System\EeyVbNu.exe
      C:\Windows\System\EeyVbNu.exe
      4⤵
      PID:14848
  - - C:\Windows\System\DDLWwGF.exe
      C:\Windows\System\DDLWwGF.exe
      4⤵
      PID:14812
  - - C:\Windows\System\SLixmRa.exe
      C:\Windows\System\SLixmRa.exe
      4⤵
      PID:15364
  - - C:\Windows\System\SRmKUNN.exe
      C:\Windows\System\SRmKUNN.exe
      4⤵
      PID:15396
  - - C:\Windows\System\ihHIWBI.exe
      C:\Windows\System\ihHIWBI.exe
      4⤵
      PID:15448
  - - C:\Windows\System\mDiKkWG.exe
      C:\Windows\System\mDiKkWG.exe
      4⤵
      PID:15464
  - - C:\Windows\System\AyTxKTg.exe
      C:\Windows\System\AyTxKTg.exe
      4⤵
      PID:15492
  - - C:\Windows\System\ohLAGxM.exe
      C:\Windows\System\ohLAGxM.exe
      4⤵
      PID:15532
  - - C:\Windows\System\sCWqPsR.exe
      C:\Windows\System\sCWqPsR.exe
      4⤵
      PID:15552
  - - C:\Windows\System\bnQWkkp.exe
      C:\Windows\System\bnQWkkp.exe
      4⤵
      PID:15568
  - - C:\Windows\System\AbkEkec.exe
      C:\Windows\System\AbkEkec.exe
      4⤵
      PID:15588
  - - C:\Windows\System\yAIYQAL.exe
      C:\Windows\System\yAIYQAL.exe
      4⤵
      PID:15648
  - - C:\Windows\System\jTqFajO.exe
      C:\Windows\System\jTqFajO.exe
      4⤵
      PID:15676
  - - C:\Windows\System\YjlzIga.exe
      C:\Windows\System\YjlzIga.exe
      4⤵
      PID:15708
  - - C:\Windows\System\MhqhGeE.exe
      C:\Windows\System\MhqhGeE.exe
      4⤵
      PID:15740
  - - C:\Windows\System\eBfjsvY.exe
      C:\Windows\System\eBfjsvY.exe
      4⤵
      PID:15780
  - - C:\Windows\System\eNTojPR.exe
      C:\Windows\System\eNTojPR.exe
      4⤵
      PID:15832
  - - C:\Windows\System\TzvTErP.exe
      C:\Windows\System\TzvTErP.exe
      4⤵
      PID:15852
  - - C:\Windows\System\TMBWgJP.exe
      C:\Windows\System\TMBWgJP.exe
      4⤵
      PID:15888
  - - C:\Windows\System\AkQfnSU.exe
      C:\Windows\System\AkQfnSU.exe
      4⤵
      PID:15924
  - - C:\Windows\System\BQQEJkm.exe
      C:\Windows\System\BQQEJkm.exe
      4⤵
      PID:15984
  - - C:\Windows\System\WqnUCVk.exe
      C:\Windows\System\WqnUCVk.exe
      4⤵
      PID:16000
  - - C:\Windows\System\slsVyxl.exe
      C:\Windows\System\slsVyxl.exe
      4⤵
      PID:16020
  - - C:\Windows\System\HxBHVxn.exe
      C:\Windows\System\HxBHVxn.exe
      4⤵
      PID:16036
  - - C:\Windows\System\ApPOCSW.exe
      C:\Windows\System\ApPOCSW.exe
      4⤵
      PID:16052
  - - C:\Windows\System\fXGYXBr.exe
      C:\Windows\System\fXGYXBr.exe
      4⤵
      PID:16068
  - - C:\Windows\System\RkIuajk.exe
      C:\Windows\System\RkIuajk.exe
      4⤵
      PID:16084
  - - C:\Windows\System\xrbjhXO.exe
      C:\Windows\System\xrbjhXO.exe
      4⤵
      PID:16104
  - - C:\Windows\System\QXIWYmJ.exe
      C:\Windows\System\QXIWYmJ.exe
      4⤵
      PID:16120
  - - C:\Windows\System\FcHtWRQ.exe
      C:\Windows\System\FcHtWRQ.exe
      4⤵
      PID:16148
  - - C:\Windows\System\uoyGWQT.exe
      C:\Windows\System\uoyGWQT.exe
      4⤵
      PID:16192
  - - C:\Windows\System\sRHoLTm.exe
      C:\Windows\System\sRHoLTm.exe
      4⤵
      PID:16220
  - - C:\Windows\System\UPRshUC.exe
      C:\Windows\System\UPRshUC.exe
      4⤵
      PID:16252
  - - C:\Windows\System\XhHHYoN.exe
      C:\Windows\System\XhHHYoN.exe
      4⤵
      PID:16296
  - - C:\Windows\System\BWfbclQ.exe
      C:\Windows\System\BWfbclQ.exe
      4⤵
      PID:16312
  - - C:\Windows\System\cABuRZF.exe
      C:\Windows\System\cABuRZF.exe
      4⤵
      PID:16328
  - - C:\Windows\System\NfPZaIj.exe
      C:\Windows\System\NfPZaIj.exe
      4⤵
      PID:16344
  - - C:\Windows\System\MhMhQLc.exe
      C:\Windows\System\MhMhQLc.exe
      4⤵
      PID:16360
  - - C:\Windows\System\XAorcEg.exe
      C:\Windows\System\XAorcEg.exe
      4⤵
      PID:16380
  - - C:\Windows\System\QGQXMeG.exe
      C:\Windows\System\QGQXMeG.exe
      4⤵
      PID:14720
  - - C:\Windows\System\csFKpMy.exe
      C:\Windows\System\csFKpMy.exe
      4⤵
      PID:15488
  - - C:\Windows\System\uScYNuN.exe
      C:\Windows\System\uScYNuN.exe
      4⤵
      PID:15388
  - - C:\Windows\System\jRleiqf.exe
      C:\Windows\System\jRleiqf.exe
      4⤵
      PID:15684
  - - C:\Windows\System\gKvRFKm.exe
      C:\Windows\System\gKvRFKm.exe
      4⤵
      PID:15548
  - - C:\Windows\System\uFfNvjg.exe
      C:\Windows\System\uFfNvjg.exe
      4⤵
      PID:15640
  - - C:\Windows\System\vyXgADB.exe
      C:\Windows\System\vyXgADB.exe
      4⤵
      PID:15668
  - - C:\Windows\System\bQOAGnK.exe
      C:\Windows\System\bQOAGnK.exe
      4⤵
      PID:16012
  - - C:\Windows\System\fOyMjor.exe
      C:\Windows\System\fOyMjor.exe
      4⤵
      PID:15788
  - - C:\Windows\System\GMzogdn.exe
      C:\Windows\System\GMzogdn.exe
      4⤵
      PID:16168
  - - C:\Windows\System\cfGxViU.exe
      C:\Windows\System\cfGxViU.exe
      4⤵
      PID:16128
  - - C:\Windows\System\chCCgVV.exe
      C:\Windows\System\chCCgVV.exe
      4⤵
      PID:16268
  - - C:\Windows\System\eZxMjqQ.exe
      C:\Windows\System\eZxMjqQ.exe
      4⤵
      PID:16184
  - - C:\Windows\System\YtfIASh.exe
      C:\Windows\System\YtfIASh.exe
      4⤵
      PID:16308
  - - C:\Windows\System\nspYIhn.exe
      C:\Windows\System\nspYIhn.exe
      4⤵
      PID:15384
  - - C:\Windows\System\RRSgBrU.exe
      C:\Windows\System\RRSgBrU.exe
      4⤵
      PID:15940
  - - C:\Windows\System\naNMAhB.exe
      C:\Windows\System\naNMAhB.exe
      4⤵
      PID:15512
  - - C:\Windows\System\xIPUsRW.exe
      C:\Windows\System\xIPUsRW.exe
      4⤵
      PID:16264
  - - C:\Windows\System\UBTkhwx.exe
      C:\Windows\System\UBTkhwx.exe
      4⤵
      PID:15516
  - - C:\Windows\System\DqBFypI.exe
      C:\Windows\System\DqBFypI.exe
      4⤵
      PID:16400
  - - C:\Windows\System\bRlfuzV.exe
      C:\Windows\System\bRlfuzV.exe
      4⤵
      PID:16428
  - - C:\Windows\System\uMPHLte.exe
      C:\Windows\System\uMPHLte.exe
      4⤵
      PID:16472
  - - C:\Windows\System\KgYgANU.exe
      C:\Windows\System\KgYgANU.exe
      4⤵
      PID:16508
  - - C:\Windows\System\tBBSytN.exe
      C:\Windows\System\tBBSytN.exe
      4⤵
      PID:16568
  - - C:\Windows\System\FqiLdsU.exe
      C:\Windows\System\FqiLdsU.exe
      4⤵
      PID:16616
  - - C:\Windows\System\qSENYwG.exe
      C:\Windows\System\qSENYwG.exe
      4⤵
      PID:16640
  - - C:\Windows\System\oYQagrq.exe
      C:\Windows\System\oYQagrq.exe
      4⤵
      PID:16656
  - - C:\Windows\System\VRwGHJd.exe
      C:\Windows\System\VRwGHJd.exe
      4⤵
      PID:16672
  - - C:\Windows\System\LThsouy.exe
      C:\Windows\System\LThsouy.exe
      4⤵
      PID:16728
  - - C:\Windows\System\OztiaEG.exe
      C:\Windows\System\OztiaEG.exe
      4⤵
      PID:16804
  - - C:\Windows\System\TNgEmcP.exe
      C:\Windows\System\TNgEmcP.exe
      4⤵
      PID:16828
  - - C:\Windows\System\zIAcWfK.exe
      C:\Windows\System\zIAcWfK.exe
      4⤵
      PID:16860
  - - C:\Windows\System\yAfLwFA.exe
      C:\Windows\System\yAfLwFA.exe
      4⤵
      PID:16912
  - - C:\Windows\System\hqaEXYh.exe
      C:\Windows\System\hqaEXYh.exe
      4⤵
      PID:16960
  - - C:\Windows\System\gxCTPMJ.exe
      C:\Windows\System\gxCTPMJ.exe
      4⤵
      PID:16984
  - - C:\Windows\System\IYmnJIh.exe
      C:\Windows\System\IYmnJIh.exe
      4⤵
      PID:17044
  - - C:\Windows\System\aVgNGyK.exe
      C:\Windows\System\aVgNGyK.exe
      4⤵
      PID:17076
  - - C:\Windows\System\yKUCvZh.exe
      C:\Windows\System\yKUCvZh.exe
      4⤵
      PID:17116
  - - C:\Windows\System\OuGoLpt.exe
      C:\Windows\System\OuGoLpt.exe
      4⤵
      PID:17172
  - - C:\Windows\System\gAVDSCV.exe
      C:\Windows\System\gAVDSCV.exe
      4⤵
      PID:17228
  - - C:\Windows\System\EdzmVZA.exe
      C:\Windows\System\EdzmVZA.exe
      4⤵
      PID:17256
  - - C:\Windows\System\lKhFQTL.exe
      C:\Windows\System\lKhFQTL.exe
      4⤵
      PID:17280
  - - C:\Windows\System\fzpvSsX.exe
      C:\Windows\System\fzpvSsX.exe
      4⤵
      PID:17320
  - - C:\Windows\System\sEYluXI.exe
      C:\Windows\System\sEYluXI.exe
      4⤵
      PID:17388
  - - C:\Windows\System\yUftbpX.exe
      C:\Windows\System\yUftbpX.exe
      4⤵
      PID:16356
  - - C:\Windows\System\rkuzONi.exe
      C:\Windows\System\rkuzONi.exe
      4⤵
      PID:15456
  - - C:\Windows\System\GymFyWq.exe
      C:\Windows\System\GymFyWq.exe
      4⤵
      PID:14840
  - - C:\Windows\System\lxJUqwi.exe
      C:\Windows\System\lxJUqwi.exe
      4⤵
      PID:16520
  - - C:\Windows\System\NXMGyVI.exe
      C:\Windows\System\NXMGyVI.exe
      4⤵
      PID:16436
  - - C:\Windows\System\GpFYgGa.exe
      C:\Windows\System\GpFYgGa.exe
      4⤵
      PID:16468
  - - C:\Windows\System\GEHKzxQ.exe
      C:\Windows\System\GEHKzxQ.exe
      4⤵
      PID:16608
  - - C:\Windows\System\dfIoaPl.exe
      C:\Windows\System\dfIoaPl.exe
      4⤵
      PID:16584
  - - C:\Windows\System\fDDAAzQ.exe
      C:\Windows\System\fDDAAzQ.exe
      4⤵
      PID:16680
  - - C:\Windows\System\ntdWVKV.exe
      C:\Windows\System\ntdWVKV.exe
      4⤵
      PID:16724
  - - C:\Windows\System\ZQtNCJC.exe
      C:\Windows\System\ZQtNCJC.exe
      4⤵
      PID:16976
  - - C:\Windows\System\kTqMDgD.exe
      C:\Windows\System\kTqMDgD.exe
      4⤵
      PID:16928
  - - C:\Windows\System\IZaEMqF.exe
      C:\Windows\System\IZaEMqF.exe
      4⤵
      PID:16876
  - - C:\Windows\System\zbItwOl.exe
      C:\Windows\System\zbItwOl.exe
      4⤵
      PID:16904
  - - C:\Windows\System\hPHvpXX.exe
      C:\Windows\System\hPHvpXX.exe
      4⤵
      PID:17212
  - - C:\Windows\System\uNALdaz.exe
      C:\Windows\System\uNALdaz.exe
      4⤵
      PID:17308
  - - C:\Windows\System\BMMFiIs.exe
      C:\Windows\System\BMMFiIs.exe
      4⤵
      PID:16320
  - - C:\Windows\System\TggNkrY.exe
      C:\Windows\System\TggNkrY.exe
      4⤵
      PID:14688
  - - C:\Windows\System\Wlyrshs.exe
      C:\Windows\System\Wlyrshs.exe
      4⤵
      PID:15932
  - - C:\Windows\System\MJIISEV.exe
      C:\Windows\System\MJIISEV.exe
      4⤵
      PID:16116
  - - C:\Windows\System\ARQJyfa.exe
      C:\Windows\System\ARQJyfa.exe
      4⤵
      PID:16784
  - - C:\Windows\System\ftEnQlB.exe
      C:\Windows\System\ftEnQlB.exe
      4⤵
      PID:16892
  - - C:\Windows\System\ZHEwDCM.exe
      C:\Windows\System\ZHEwDCM.exe
      4⤵
      PID:16816
  - - C:\Windows\System\EwJVtTC.exe
      C:\Windows\System\EwJVtTC.exe
      4⤵
      PID:17328
  - - C:\Windows\System\hjBMbEo.exe
      C:\Windows\System\hjBMbEo.exe
      4⤵
      PID:17452
  - - C:\Windows\System\vGtKtPw.exe
      C:\Windows\System\vGtKtPw.exe
      4⤵
      PID:17472
  - - C:\Windows\System\klPojSM.exe
      C:\Windows\System\klPojSM.exe
      4⤵
      PID:17512
  - - C:\Windows\System\CcRKiVX.exe
      C:\Windows\System\CcRKiVX.exe
      4⤵
      PID:17560
  - - C:\Windows\System\dcLzuye.exe
      C:\Windows\System\dcLzuye.exe
      4⤵
      PID:17592
  - - C:\Windows\System\tThGvQH.exe
      C:\Windows\System\tThGvQH.exe
      4⤵
      PID:17608
  - - C:\Windows\System\oBDWDBS.exe
      C:\Windows\System\oBDWDBS.exe
      4⤵
      PID:17644
  - - C:\Windows\System\MMrsFoT.exe
      C:\Windows\System\MMrsFoT.exe
      4⤵
      PID:17692
  - - C:\Windows\System\rqEVHjs.exe
      C:\Windows\System\rqEVHjs.exe
      4⤵
      PID:17728
  - - C:\Windows\System\LVcJzjJ.exe
      C:\Windows\System\LVcJzjJ.exe
      4⤵
      PID:17764
  - - C:\Windows\System\ISUOxFX.exe
      C:\Windows\System\ISUOxFX.exe
      4⤵
      PID:17788
  - - C:\Windows\System\EVNUEav.exe
      C:\Windows\System\EVNUEav.exe
      4⤵
      PID:17816
  - - C:\Windows\System\MFvikJu.exe
      C:\Windows\System\MFvikJu.exe
      4⤵
      PID:17852
  - - C:\Windows\System\tAZRmWi.exe
      C:\Windows\System\tAZRmWi.exe
      4⤵
      PID:17888
  - - C:\Windows\System\hhnTfzm.exe
      C:\Windows\System\hhnTfzm.exe
      4⤵
      PID:17920
  - - C:\Windows\System\XjqDMoP.exe
      C:\Windows\System\XjqDMoP.exe
      4⤵
      PID:17948
  - - C:\Windows\System\WsbmMse.exe
      C:\Windows\System\WsbmMse.exe
      4⤵
      PID:17996
  - - C:\Windows\System\giMbxwQ.exe
      C:\Windows\System\giMbxwQ.exe
      4⤵
      PID:18012
  - - C:\Windows\System\NlxPrpK.exe
      C:\Windows\System\NlxPrpK.exe
      4⤵
      PID:18052
  - - C:\Windows\System\zitRzEa.exe
      C:\Windows\System\zitRzEa.exe
      4⤵
      PID:18084
  - - C:\Windows\System\hJazMaM.exe
      C:\Windows\System\hJazMaM.exe
      4⤵
      PID:18136
  - - C:\Windows\System\hYIzoNO.exe
      C:\Windows\System\hYIzoNO.exe
      4⤵
      PID:18160
  - - C:\Windows\System\ZbhNVUh.exe
      C:\Windows\System\ZbhNVUh.exe
      4⤵
      PID:18200
  - - C:\Windows\System\oskVmQD.exe
      C:\Windows\System\oskVmQD.exe
      4⤵
      PID:18240
  - - C:\Windows\System\HFxyuDC.exe
      C:\Windows\System\HFxyuDC.exe
      4⤵
      PID:18268
  - - C:\Windows\System\eMkdnaO.exe
      C:\Windows\System\eMkdnaO.exe
      4⤵
      PID:18296
  - - C:\Windows\System\JwjXcpF.exe
      C:\Windows\System\JwjXcpF.exe
      4⤵
      PID:18332
  - - C:\Windows\System\CHarKHt.exe
      C:\Windows\System\CHarKHt.exe
      4⤵
      PID:18356
  - - C:\Windows\System\ZdeAxbo.exe
      C:\Windows\System\ZdeAxbo.exe
      4⤵
      PID:18412
  - - C:\Windows\System\XrNrJnY.exe
      C:\Windows\System\XrNrJnY.exe
      4⤵
      PID:17396
  - - C:\Windows\System\ENTxEty.exe
      C:\Windows\System\ENTxEty.exe
      4⤵
      PID:17244
  - - C:\Windows\System\uVXeSra.exe
      C:\Windows\System\uVXeSra.exe
      4⤵
      PID:16556
  - - C:\Windows\System\FFQuSkn.exe
      C:\Windows\System\FFQuSkn.exe
      4⤵
      PID:17208
  - - C:\Windows\System\vsOrqMd.exe
      C:\Windows\System\vsOrqMd.exe
      4⤵
      PID:17480
  - - C:\Windows\System\ZPakoRM.exe
      C:\Windows\System\ZPakoRM.exe
      4⤵
      PID:16880
  - - C:\Windows\System\nuAMrfY.exe
      C:\Windows\System\nuAMrfY.exe
      4⤵
      PID:17628
  - - C:\Windows\System\zehheOp.exe
      C:\Windows\System\zehheOp.exe
      4⤵
      PID:17736
  - - C:\Windows\System\evBIgZh.exe
      C:\Windows\System\evBIgZh.exe
      4⤵
      PID:17656
  - - C:\Windows\System\niWIAtC.exe
      C:\Windows\System\niWIAtC.exe
      4⤵
      PID:17868
  - - C:\Windows\System\ewUzuUC.exe
      C:\Windows\System\ewUzuUC.exe
      4⤵
      PID:17668
  - - C:\Windows\System\ffehgow.exe
      C:\Windows\System\ffehgow.exe
      4⤵
      PID:17976
  - - C:\Windows\System\kIRNvbR.exe
      C:\Windows\System\kIRNvbR.exe
      4⤵
      PID:18116
  - - C:\Windows\System\kHrwmlH.exe
      C:\Windows\System\kHrwmlH.exe
      4⤵
      PID:18072
  - - C:\Windows\System\REiajrs.exe
      C:\Windows\System\REiajrs.exe
      4⤵
      PID:18024
  - - C:\Windows\System\NLakife.exe
      C:\Windows\System\NLakife.exe
      4⤵
      PID:18248
  - - C:\Windows\System\oRWACxb.exe
      C:\Windows\System\oRWACxb.exe
      4⤵
      PID:3160
  - - C:\Windows\System\ULtzfYE.exe
      C:\Windows\System\ULtzfYE.exe
      4⤵
      PID:17164
  - - C:\Windows\System\qabrkpC.exe
      C:\Windows\System\qabrkpC.exe
      4⤵
      PID:18340
  - - C:\Windows\System\cFzNURD.exe
      C:\Windows\System\cFzNURD.exe
      4⤵
      PID:18408
  - - C:\Windows\System\ZYihjrf.exe
      C:\Windows\System\ZYihjrf.exe
      4⤵
      PID:17432
  - - C:\Windows\System\KqNqMSM.exe
      C:\Windows\System\KqNqMSM.exe
      4⤵
      PID:17992
  - - C:\Windows\System\OpOPZUi.exe
      C:\Windows\System\OpOPZUi.exe
      4⤵
      PID:17760
  - - C:\Windows\System\sarJUkP.exe
      C:\Windows\System\sarJUkP.exe
      4⤵
      PID:17784
  - - C:\Windows\System\KaJrOvP.exe
      C:\Windows\System\KaJrOvP.exe
      4⤵
      PID:17536
  - - C:\Windows\System\doYizus.exe
      C:\Windows\System\doYizus.exe
      4⤵
      PID:15880
  - - C:\Windows\System\EgLlADK.exe
      C:\Windows\System\EgLlADK.exe
      4⤵
      PID:17500
  - - C:\Windows\System\ReEWIwF.exe
      C:\Windows\System\ReEWIwF.exe
      4⤵
      PID:17000
  - - C:\Windows\System\gMFpUKf.exe
      C:\Windows\System\gMFpUKf.exe
      4⤵
      PID:17460
  - - C:\Windows\System\dCnIjxz.exe
      C:\Windows\System\dCnIjxz.exe
      4⤵
      PID:18472
  - - C:\Windows\System\IQzUmZo.exe
      C:\Windows\System\IQzUmZo.exe
      4⤵
      PID:18516
  - - C:\Windows\System\eKyZyqu.exe
      C:\Windows\System\eKyZyqu.exe
      4⤵
      PID:18556
  - - C:\Windows\System\QiZRSSp.exe
      C:\Windows\System\QiZRSSp.exe
      4⤵
      PID:18588
  - - C:\Windows\System\XHXuCLE.exe
      C:\Windows\System\XHXuCLE.exe
      4⤵
      PID:18624
  - - C:\Windows\System\eDHqwCt.exe
      C:\Windows\System\eDHqwCt.exe
      4⤵
      PID:18660
  - - C:\Windows\System\auPfdyE.exe
      C:\Windows\System\auPfdyE.exe
      4⤵
      PID:18724
  - - C:\Windows\System\YpfvwAK.exe
      C:\Windows\System\YpfvwAK.exe
      4⤵
      PID:18764
  - - C:\Windows\System\yiKmMcX.exe
      C:\Windows\System\yiKmMcX.exe
      4⤵
      PID:18800
  - - C:\Windows\System\VrAfLMr.exe
      C:\Windows\System\VrAfLMr.exe
      4⤵
      PID:18828
  - - C:\Windows\System\JjiwYiQ.exe
      C:\Windows\System\JjiwYiQ.exe
      4⤵
      PID:19036
  - - C:\Windows\System\OneyxhU.exe
      C:\Windows\System\OneyxhU.exe
      4⤵
      PID:19092
  - - C:\Windows\System\TiFmudq.exe
      C:\Windows\System\TiFmudq.exe
      4⤵
      PID:19112
  - - C:\Windows\System\kBntlyJ.exe
      C:\Windows\System\kBntlyJ.exe
      4⤵
      PID:19136
  - - C:\Windows\System\IXvuklu.exe
      C:\Windows\System\IXvuklu.exe
      4⤵
      PID:19184
  - - C:\Windows\System\isVxLOn.exe
      C:\Windows\System\isVxLOn.exe
      4⤵
      PID:19232
  - - C:\Windows\System\CRyduzP.exe
      C:\Windows\System\CRyduzP.exe
      4⤵
      PID:19264
  - - C:\Windows\System\GSkdjNt.exe
      C:\Windows\System\GSkdjNt.exe
      4⤵
      PID:19296
  - - C:\Windows\System\OxUCXtj.exe
      C:\Windows\System\OxUCXtj.exe
      4⤵
      PID:19348
  - - C:\Windows\System\GYBTTCD.exe
      C:\Windows\System\GYBTTCD.exe
      4⤵
      PID:19452
  - - C:\Windows\System\UzyCSIh.exe
      C:\Windows\System\UzyCSIh.exe
      4⤵
      PID:18400
  - - C:\Windows\System\txurgCK.exe
      C:\Windows\System\txurgCK.exe
      4⤵
      PID:18452
  - - C:\Windows\System\NmhxaiQ.exe
      C:\Windows\System\NmhxaiQ.exe
      4⤵
      PID:18468
  - - C:\Windows\System\yXhOnDj.exe
      C:\Windows\System\yXhOnDj.exe
      4⤵
      PID:18512
  - - C:\Windows\System\FaYTZEM.exe
      C:\Windows\System\FaYTZEM.exe
      4⤵
      PID:18396
  - - C:\Windows\System\gIuTeva.exe
      C:\Windows\System\gIuTeva.exe
      4⤵
      PID:18748
  - - C:\Windows\System\RQRxBDR.exe
      C:\Windows\System\RQRxBDR.exe
      4⤵
      PID:18816
  - - C:\Windows\System\xevSAlr.exe
      C:\Windows\System\xevSAlr.exe
      4⤵
      PID:18920
  - - C:\Windows\System\cOdYwmL.exe
      C:\Windows\System\cOdYwmL.exe
      4⤵
      PID:19100
  - - C:\Windows\System\xYuSBmm.exe
      C:\Windows\System\xYuSBmm.exe
      4⤵
      PID:15860
  - - C:\Windows\System\KgVkkRo.exe
      C:\Windows\System\KgVkkRo.exe
      4⤵
      PID:19192
  - - C:\Windows\System\kDXLGOY.exe
      C:\Windows\System\kDXLGOY.exe
      4⤵
      PID:19064
  - - C:\Windows\System\RYJAZwz.exe
      C:\Windows\System\RYJAZwz.exe
      4⤵
      PID:7480
  - - C:\Windows\System\LazxQIL.exe
      C:\Windows\System\LazxQIL.exe
      4⤵
      PID:19312
  - - C:\Windows\System\CKrOpAZ.exe
      C:\Windows\System\CKrOpAZ.exe
      4⤵
      PID:19284
  - - C:\Windows\System\SohInhs.exe
      C:\Windows\System\SohInhs.exe
      4⤵
      PID:19320
  - - C:\Windows\System\gtZtlqa.exe
      C:\Windows\System\gtZtlqa.exe
      4⤵
      PID:16856
  - - C:\Windows\System\NjmMeGP.exe
      C:\Windows\System\NjmMeGP.exe
      4⤵
      PID:17932
  - - C:\Windows\System\YIkHXvm.exe
      C:\Windows\System\YIkHXvm.exe
      4⤵
      PID:18480
  - - C:\Windows\System\kJIzOng.exe
      C:\Windows\System\kJIzOng.exe
      4⤵
      PID:18676
  - - C:\Windows\System\RHnYxQf.exe
      C:\Windows\System\RHnYxQf.exe
      4⤵
      PID:18648
  - - C:\Windows\System\xzctwcR.exe
      C:\Windows\System\xzctwcR.exe
      4⤵
      PID:18636
  - - C:\Windows\System\PjtPxGt.exe
      C:\Windows\System\PjtPxGt.exe
      4⤵
      PID:18844
  - - C:\Windows\System\LRrIsxv.exe
      C:\Windows\System\LRrIsxv.exe
      4⤵
      PID:18756
  - - C:\Windows\System\JkwwoLn.exe
      C:\Windows\System\JkwwoLn.exe
      4⤵
      PID:19080
  - - C:\Windows\System\uEzmCHM.exe
      C:\Windows\System\uEzmCHM.exe
      4⤵
      PID:19060
  - - C:\Windows\System\zRhSNVn.exe
      C:\Windows\System\zRhSNVn.exe
      4⤵
      PID:19356
  - - C:\Windows\System\cKsvKyO.exe
      C:\Windows\System\cKsvKyO.exe
      4⤵
      PID:17664
  - - C:\Windows\System\iBOYAfZ.exe
      C:\Windows\System\iBOYAfZ.exe
      4⤵
      PID:19148
  - - C:\Windows\System\wNoIJrl.exe
      C:\Windows\System\wNoIJrl.exe
      4⤵
      PID:19460
  - - C:\Windows\System\JrZnBAP.exe
      C:\Windows\System\JrZnBAP.exe
      4⤵
      PID:19500
  - - C:\Windows\System\HxpRGiH.exe
      C:\Windows\System\HxpRGiH.exe
      4⤵
      PID:19548
  - - C:\Windows\System\tNLzJtO.exe
      C:\Windows\System\tNLzJtO.exe
      4⤵
      PID:19584
  - - C:\Windows\System\cuLoWKf.exe
      C:\Windows\System\cuLoWKf.exe
      4⤵
      PID:19632
  - - C:\Windows\System\EbIuGTR.exe
      C:\Windows\System\EbIuGTR.exe
      4⤵
      PID:19664
  - - C:\Windows\System\bTPZuUX.exe
      C:\Windows\System\bTPZuUX.exe
      4⤵
      PID:19708
  - - C:\Windows\System\JDfSuPy.exe
      C:\Windows\System\JDfSuPy.exe
      4⤵
      PID:19748
  - - C:\Windows\System\bBrkIKy.exe
      C:\Windows\System\bBrkIKy.exe
      4⤵
      PID:19764
- - C:\Users\Admin\Desktop\malwar\virussign.com_8909a327b78df6f1393349086fed94f0.vir
    virussign.com_8909a327b78df6f1393349086fed94f0.vir
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4048
- - C:\Users\Admin\Desktop\malwar\virussign.com_8df053c876529979fc9aa0b52c344150.vir
    virussign.com_8df053c876529979fc9aa0b52c344150.vir
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:3932
- - C:\Users\Admin\Desktop\malwar\virussign.com_93c00ea8da25c42b7b096dd91e3cb4b0.vir
    virussign.com_93c00ea8da25c42b7b096dd91e3cb4b0.vir
    3⤵
    PID:5036
  - - C:\Windows\SysWOW64\Hplbickp.exe
      C:\Windows\system32\Hplbickp.exe
      4⤵
      PID:428
    - - C:\Windows\SysWOW64\Hlbcnd32.exe
        
        C:\Windows\system32\Hlbcnd32.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5128
      - C:\Windows\SysWOW64\Hpqldc32.exe
        
        C:\Windows\system32\Hpqldc32.exe
        6⤵
        
        PID:5348
        
        C:\Windows\SysWOW64\Hoeieolb.exe
        
        C:\Windows\system32\Hoeieolb.exe
        7⤵
        
        PID:5540
        
        C:\Windows\SysWOW64\Ifomll32.exe
        
        C:\Windows\system32\Ifomll32.exe
        8⤵
        Drops file in System32 directory
        
        PID:5864
        
        C:\Windows\SysWOW64\Iojbpo32.exe
        
        C:\Windows\system32\Iojbpo32.exe
        9⤵
        
        PID:6036
        
        C:\Windows\SysWOW64\Iefgbh32.exe
        
        C:\Windows\system32\Iefgbh32.exe
        10⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5328
        
        C:\Windows\SysWOW64\Jghpbk32.exe
        
        C:\Windows\system32\Jghpbk32.exe
        11⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\Jgkmgk32.exe
        
        C:\Windows\system32\Jgkmgk32.exe
        12⤵
        Drops file in System32 directory
        
        PID:6344
        
        C:\Windows\SysWOW64\Jcanll32.exe
        
        C:\Windows\system32\Jcanll32.exe
        13⤵
        Modifies registry class
        
        PID:6552
        
        C:\Windows\SysWOW64\Jinboekc.exe
        
        C:\Windows\system32\Jinboekc.exe
        14⤵
        
        PID:6928
        
        C:\Windows\SysWOW64\Kegpifod.exe
        
        C:\Windows\system32\Kegpifod.exe
        15⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\Kpmdfonj.exe
        
        C:\Windows\system32\Kpmdfonj.exe
        16⤵
        
        PID:6416
        
        C:\Windows\SysWOW64\Koaagkcb.exe
        
        C:\Windows\system32\Koaagkcb.exe
        17⤵
        
        PID:6228
        
        C:\Windows\SysWOW64\Kncaec32.exe
        
        C:\Windows\system32\Kncaec32.exe
        18⤵
        
        PID:824
        
        C:\Windows\SysWOW64\Kjjbjd32.exe
        
        C:\Windows\system32\Kjjbjd32.exe
        19⤵
        
        PID:7288
        
        C:\Windows\SysWOW64\Lpfgmnfp.exe
        
        C:\Windows\system32\Lpfgmnfp.exe
        20⤵
        
        PID:7552
        
        C:\Windows\SysWOW64\Ljnlecmp.exe
        
        C:\Windows\system32\Ljnlecmp.exe
        21⤵
        
        PID:7676
        
        C:\Windows\SysWOW64\Lgdidgjg.exe
        
        C:\Windows\system32\Lgdidgjg.exe
        22⤵
        
        PID:8120
        
        C:\Windows\SysWOW64\Lqojclne.exe
        
        C:\Windows\system32\Lqojclne.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:7568
        
        C:\Windows\SysWOW64\Modgdicm.exe
        
        C:\Windows\system32\Modgdicm.exe
        24⤵
        
        PID:7612
        
        C:\Windows\SysWOW64\Mnegbp32.exe
        
        C:\Windows\system32\Mnegbp32.exe
        25⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\Moipoh32.exe
        
        C:\Windows\system32\Moipoh32.exe
        26⤵
        
        PID:8488
        
        C:\Windows\SysWOW64\Mnjqmpgg.exe
        
        C:\Windows\system32\Mnjqmpgg.exe
        27⤵
        
        PID:8692
        
        C:\Windows\SysWOW64\Mjaabq32.exe
        
        C:\Windows\system32\Mjaabq32.exe
        28⤵
        
        PID:8936
        
        C:\Windows\SysWOW64\Mcifkf32.exe
        
        C:\Windows\system32\Mcifkf32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:9112
        
        C:\Windows\SysWOW64\Nopfpgip.exe
        
        C:\Windows\system32\Nopfpgip.exe
        30⤵
        
        PID:7608
        
        C:\Windows\SysWOW64\Nmdgikhi.exe
        
        C:\Windows\system32\Nmdgikhi.exe
        31⤵
        
        PID:8580
        
        C:\Windows\SysWOW64\Ngjkfd32.exe
        
        C:\Windows\system32\Ngjkfd32.exe
        32⤵
        Drops file in System32 directory
        
        PID:8700
        
        C:\Windows\SysWOW64\Nmfcok32.exe
        
        C:\Windows\system32\Nmfcok32.exe
        33⤵
        
        PID:9080
        
        C:\Windows\SysWOW64\Nmkmjjaa.exe
        
        C:\Windows\system32\Nmkmjjaa.exe
        34⤵
        
        PID:9232
        
        C:\Windows\SysWOW64\Nfcabp32.exe
        
        C:\Windows\system32\Nfcabp32.exe
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:9404
        
        C:\Windows\SysWOW64\Ojajin32.exe
        
        C:\Windows\system32\Ojajin32.exe
        36⤵
        Modifies registry class
        
        PID:9744
        
        C:\Windows\SysWOW64\Opnbae32.exe
        
        C:\Windows\system32\Opnbae32.exe
        37⤵
        System Location Discovery: System Language Discovery
        
        PID:9892
        
        C:\Windows\SysWOW64\Ombcji32.exe
        
        C:\Windows\system32\Ombcji32.exe
        38⤵
        Modifies registry class
        
        PID:10124
        
        C:\Windows\SysWOW64\Ojfcdnjc.exe
        
        C:\Windows\system32\Ojfcdnjc.exe
        39⤵
        
        PID:9240
        
        C:\Windows\SysWOW64\Ocohmc32.exe
        
        C:\Windows\system32\Ocohmc32.exe
        40⤵
        
        PID:9456
        
        C:\Windows\SysWOW64\Pnfiplog.exe
        
        C:\Windows\system32\Pnfiplog.exe
        41⤵
        
        PID:9964
        
        C:\Windows\SysWOW64\Phonha32.exe
        
        C:\Windows\system32\Phonha32.exe
        42⤵
        
        PID:10224
        
        C:\Windows\SysWOW64\Ppjbmc32.exe
        
        C:\Windows\system32\Ppjbmc32.exe
        43⤵
        
        PID:10072
        
        C:\Windows\SysWOW64\Pnkbkk32.exe
        
        C:\Windows\system32\Pnkbkk32.exe
        44⤵
        
        PID:10412
        
        C:\Windows\SysWOW64\Pmpolgoi.exe
        
        C:\Windows\system32\Pmpolgoi.exe
        45⤵
        
        PID:10632
        
        C:\Windows\SysWOW64\Pfiddm32.exe
        
        C:\Windows\system32\Pfiddm32.exe
        46⤵
        Modifies registry class
        
        PID:10776
        
        C:\Windows\SysWOW64\Ppahmb32.exe
        
        C:\Windows\system32\Ppahmb32.exe
        47⤵
        
        PID:10928
        
        C:\Windows\SysWOW64\Qobhkjdi.exe
        
        C:\Windows\system32\Qobhkjdi.exe
        48⤵
        
        PID:11104
        
        C:\Windows\SysWOW64\Qjiipk32.exe
        
        C:\Windows\system32\Qjiipk32.exe
        49⤵
        
        PID:10288
        
        C:\Windows\SysWOW64\Qacameaj.exe
        
        C:\Windows\system32\Qacameaj.exe
        50⤵
        Drops file in System32 directory
        
        PID:10504
        
        C:\Windows\SysWOW64\Amjbbfgo.exe
        
        C:\Windows\system32\Amjbbfgo.exe
        51⤵
        Drops file in System32 directory
        
        PID:10860
        
        C:\Windows\SysWOW64\Aknbkjfh.exe
        
        C:\Windows\system32\Aknbkjfh.exe
        52⤵
        
        PID:11256
        
        C:\Windows\SysWOW64\Adfgdpmi.exe
        
        C:\Windows\system32\Adfgdpmi.exe
        53⤵
        
        PID:9392
        
        C:\Windows\SysWOW64\Aggpfkjj.exe
        
        C:\Windows\system32\Aggpfkjj.exe
        54⤵
        
        PID:11384
        
        C:\Windows\SysWOW64\Ahfmpnql.exe
        
        C:\Windows\system32\Ahfmpnql.exe
        55⤵
        
        PID:11628
        
        C:\Windows\SysWOW64\Bdmmeo32.exe
        
        C:\Windows\system32\Bdmmeo32.exe
        56⤵
        
        PID:11840
        
        C:\Windows\SysWOW64\Bobabg32.exe
        
        C:\Windows\system32\Bobabg32.exe
        57⤵
        
        PID:11992
        
        C:\Windows\SysWOW64\Bgnffj32.exe
        
        C:\Windows\system32\Bgnffj32.exe
        58⤵
        
        PID:12216
        
        C:\Windows\SysWOW64\Bpkdjofm.exe
        
        C:\Windows\system32\Bpkdjofm.exe
        59⤵
        
        PID:11924
        
        C:\Windows\SysWOW64\Boldhf32.exe
        
        C:\Windows\system32\Boldhf32.exe
        60⤵
        Modifies registry class
        
        PID:2612
        
        C:\Windows\SysWOW64\Ckbemgcp.exe
        
        C:\Windows\system32\Ckbemgcp.exe
        61⤵
        
        PID:12464
        
        C:\Windows\SysWOW64\Cponen32.exe
        
        C:\Windows\system32\Cponen32.exe
        62⤵
        
        PID:12592
        
        C:\Windows\SysWOW64\Ckebcg32.exe
        
        C:\Windows\system32\Ckebcg32.exe
        63⤵
        
        PID:12788
        
        C:\Windows\SysWOW64\Cdmfllhn.exe
        
        C:\Windows\system32\Cdmfllhn.exe
        64⤵
        
        PID:13004
        
        C:\Windows\SysWOW64\Cocjiehd.exe
        
        C:\Windows\system32\Cocjiehd.exe
        65⤵
        Drops file in System32 directory
        
        PID:13140
        
        C:\Windows\SysWOW64\Cdpcal32.exe
        
        C:\Windows\system32\Cdpcal32.exe
        66⤵
        
        PID:12064
        
        C:\Windows\SysWOW64\Cpfcfmlp.exe
        
        C:\Windows\system32\Cpfcfmlp.exe
        67⤵
        
        PID:12560
        
        C:\Windows\SysWOW64\Cogddd32.exe
        
        C:\Windows\system32\Cogddd32.exe
        68⤵
        
        PID:12736
        
        C:\Windows\SysWOW64\Dddllkbf.exe
        
        C:\Windows\system32\Dddllkbf.exe
        69⤵
        
        PID:11560
        
        C:\Windows\SysWOW64\Dkndie32.exe
        
        C:\Windows\system32\Dkndie32.exe
        70⤵
        
        PID:12764
        
        C:\Windows\SysWOW64\Ddgibkpc.exe
        
        C:\Windows\system32\Ddgibkpc.exe
        71⤵
        
        PID:13292
        
        C:\Windows\SysWOW64\Dggbcf32.exe
        
        C:\Windows\system32\Dggbcf32.exe
        72⤵
        
        PID:13508
        
        C:\Windows\SysWOW64\Dqpfmlce.exe
        
        C:\Windows\system32\Dqpfmlce.exe
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:13700
        
        C:\Windows\SysWOW64\Dndgfpbo.exe
        
        C:\Windows\system32\Dndgfpbo.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:13960
        
        C:\Windows\SysWOW64\Dglkoeio.exe
        
        C:\Windows\system32\Dglkoeio.exe
        75⤵
        Drops file in System32 directory
        
        PID:14084
        
        C:\Windows\SysWOW64\Ebaplnie.exe
        
        C:\Windows\system32\Ebaplnie.exe
        76⤵
        
        PID:14232
        
        C:\Windows\SysWOW64\Egohdegl.exe
        
        C:\Windows\system32\Egohdegl.exe
        77⤵
        
        PID:12524
        
        C:\Windows\SysWOW64\Egaejeej.exe
        
        C:\Windows\system32\Egaejeej.exe
        78⤵
        
        PID:13536
        
        C:\Windows\SysWOW64\Edeeci32.exe
        
        C:\Windows\system32\Edeeci32.exe
        79⤵
        
        PID:14332
        
        C:\Windows\SysWOW64\Egcaod32.exe
        
        C:\Windows\system32\Egcaod32.exe
        80⤵
        
        PID:11872
        
        C:\Windows\SysWOW64\Enmjlojd.exe
        
        C:\Windows\system32\Enmjlojd.exe
        81⤵
        Modifies registry class
        
        PID:13012
        
        C:\Windows\SysWOW64\Enpfan32.exe
        
        C:\Windows\system32\Enpfan32.exe
        82⤵
        
        PID:14444
        
        C:\Windows\SysWOW64\Eiekog32.exe
        
        C:\Windows\system32\Eiekog32.exe
        83⤵
        Drops file in System32 directory
        
        PID:14644
        
        C:\Windows\SysWOW64\Ekcgkb32.exe
        
        C:\Windows\system32\Ekcgkb32.exe
        84⤵
        Drops file in System32 directory
        
        PID:14724
        
        C:\Windows\SysWOW64\Fbmohmoh.exe
        
        C:\Windows\system32\Fbmohmoh.exe
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:14832
        
        C:\Windows\SysWOW64\Fdlkdhnk.exe
        
        C:\Windows\system32\Fdlkdhnk.exe
        86⤵
        
        PID:14928
        
        C:\Windows\SysWOW64\Fkfcqb32.exe
        
        C:\Windows\system32\Fkfcqb32.exe
        87⤵
        
        PID:15048
        
        C:\Windows\SysWOW64\Fndpmndl.exe
        
        C:\Windows\system32\Fndpmndl.exe
        88⤵
        
        PID:15160
        
        C:\Windows\SysWOW64\Fdnhih32.exe
        
        C:\Windows\system32\Fdnhih32.exe
        89⤵
        
        PID:15272
        
        C:\Windows\SysWOW64\Fnfmbmbi.exe
        
        C:\Windows\system32\Fnfmbmbi.exe
        90⤵
        Drops file in System32 directory
        
        PID:14384
        
        C:\Windows\SysWOW64\Filapfbo.exe
        
        C:\Windows\system32\Filapfbo.exe
        91⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        
        PID:14576
        
        C:\Windows\SysWOW64\Fniihmpf.exe
        
        C:\Windows\system32\Fniihmpf.exe
        92⤵
        
        PID:15000
        
        C:\Windows\SysWOW64\Fbdehlip.exe
        
        C:\Windows\system32\Fbdehlip.exe
        93⤵
        
        PID:15044
        
        C:\Windows\SysWOW64\Fkmjaa32.exe
        
        C:\Windows\system32\Fkmjaa32.exe
        94⤵
        
        PID:15356
        
        C:\Windows\SysWOW64\Fbgbnkfm.exe
        
        C:\Windows\system32\Fbgbnkfm.exe
        95⤵
        
        PID:14908
        
        C:\Windows\SysWOW64\Fiqjke32.exe
        
        C:\Windows\system32\Fiqjke32.exe
        96⤵
        Modifies registry class
        
        PID:15124
        
        C:\Windows\SysWOW64\Gegkpf32.exe
        
        C:\Windows\system32\Gegkpf32.exe
        97⤵
        Drops file in System32 directory
        
        PID:15424
        
        C:\Windows\SysWOW64\Gbkkik32.exe
        
        C:\Windows\system32\Gbkkik32.exe
        98⤵
        
        PID:15620
        
        C:\Windows\SysWOW64\Gkdpbpih.exe
        
        C:\Windows\system32\Gkdpbpih.exe
        99⤵
        
        PID:15804
        
        C:\Windows\SysWOW64\Gbnhoj32.exe
        
        C:\Windows\system32\Gbnhoj32.exe
        100⤵
        
        PID:15952
        
        C:\Windows\SysWOW64\Geoapenf.exe
        
        C:\Windows\system32\Geoapenf.exe
        101⤵
        
        PID:16200
        
        C:\Windows\SysWOW64\Hahokfag.exe
        
        C:\Windows\system32\Hahokfag.exe
        102⤵
        
        PID:15480
        
        C:\Windows\SysWOW64\Halhfe32.exe
        
        C:\Windows\system32\Halhfe32.exe
        103⤵
        
        PID:15936
        
        C:\Windows\SysWOW64\Hlblcn32.exe
        
        C:\Windows\system32\Hlblcn32.exe
        104⤵
        
        PID:16452
        
        C:\Windows\SysWOW64\Hbldphde.exe
        
        C:\Windows\system32\Hbldphde.exe
        105⤵
        
        PID:16600
        
        C:\Windows\SysWOW64\Hihibbjo.exe
        
        C:\Windows\system32\Hihibbjo.exe
        106⤵
        
        PID:17008
        
        C:\Windows\SysWOW64\Inebjihf.exe
        
        C:\Windows\system32\Inebjihf.exe
        107⤵
        
        PID:17200
        
        C:\Windows\SysWOW64\Ieojgc32.exe
        
        C:\Windows\system32\Ieojgc32.exe
        108⤵
        
        PID:17356
        
        C:\Windows\SysWOW64\Ihmfco32.exe
        
        C:\Windows\system32\Ihmfco32.exe
        109⤵
        
        PID:16096
        
        C:\Windows\SysWOW64\Ihpcinld.exe
        
        C:\Windows\system32\Ihpcinld.exe
        110⤵
        
        PID:16932
        
        C:\Windows\SysWOW64\Iajdgcab.exe
        
        C:\Windows\system32\Iajdgcab.exe
        111⤵
        Drops file in System32 directory
        
        PID:16580
        
        C:\Windows\SysWOW64\Ihdldn32.exe
        
        C:\Windows\system32\Ihdldn32.exe
        112⤵
        
        PID:17424
        
        C:\Windows\SysWOW64\Iondqhpl.exe
        
        C:\Windows\system32\Iondqhpl.exe
        113⤵
        
        PID:17544
        
        C:\Windows\SysWOW64\Jidinqpb.exe
        
        C:\Windows\system32\Jidinqpb.exe
        114⤵
        
        PID:17676
        
        C:\Windows\SysWOW64\Jppnpjel.exe
        
        C:\Windows\system32\Jppnpjel.exe
        115⤵
        
        PID:18108
        
        C:\Windows\SysWOW64\Jaajhb32.exe
        
        C:\Windows\system32\Jaajhb32.exe
        116⤵
        
        PID:18260
        
        C:\Windows\SysWOW64\Jlgoek32.exe
        
        C:\Windows\system32\Jlgoek32.exe
        117⤵
        
        PID:18380
        
        C:\Windows\SysWOW64\Jadgnb32.exe
        
        C:\Windows\system32\Jadgnb32.exe
        118⤵
        
        PID:16524
        
        C:\Windows\SysWOW64\Jlikkkhn.exe
        
        C:\Windows\system32\Jlikkkhn.exe
        119⤵
        
        PID:17712
        
        C:\Windows\SysWOW64\Jafdcbge.exe
        
        C:\Windows\system32\Jafdcbge.exe
        120⤵
        Modifies registry class
        
        PID:18004
        
        C:\Windows\SysWOW64\Jpgdai32.exe
        
        C:\Windows\system32\Jpgdai32.exe
        121⤵
        
        PID:16652
        
        C:\Windows\SysWOW64\Kiphjo32.exe
        
        C:\Windows\system32\Kiphjo32.exe
        122⤵
        
        PID:18144
        
        C:\Windows\SysWOW64\Klndfj32.exe
        
        C:\Windows\system32\Klndfj32.exe
        123⤵
        
        PID:17836
        
        C:\Windows\SysWOW64\Kbhmbdle.exe
        
        C:\Windows\system32\Kbhmbdle.exe
        124⤵
        
        PID:18488
        
        C:\Windows\SysWOW64\Klpakj32.exe
        
        C:\Windows\system32\Klpakj32.exe
        125⤵
        
        PID:18688
        
        C:\Windows\SysWOW64\Kamjda32.exe
        
        C:\Windows\system32\Kamjda32.exe
        126⤵
        
        PID:19052
        
        C:\Windows\SysWOW64\Koajmepf.exe
        
        C:\Windows\system32\Koajmepf.exe
        127⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Drops file in System32 directory
        Modifies registry class
        
        PID:19160
        
        C:\Windows\SysWOW64\Kapfiqoj.exe
        
        C:\Windows\system32\Kapfiqoj.exe
        128⤵
        
        PID:19224
        
        C:\Windows\SysWOW64\Khiofk32.exe
        
        C:\Windows\system32\Khiofk32.exe
        129⤵
        
        PID:19340
        
        C:\Windows\SysWOW64\Kpqggh32.exe
        
        C:\Windows\system32\Kpqggh32.exe
        130⤵
        
        PID:17848
        
        C:\Windows\SysWOW64\Kabcopmg.exe
        
        C:\Windows\system32\Kabcopmg.exe
        131⤵
        
        PID:18184
        
        C:\Windows\SysWOW64\Kiikpnmj.exe
        
        C:\Windows\system32\Kiikpnmj.exe
        132⤵
        
        PID:18856
        
        C:\Windows\SysWOW64\Kofdhd32.exe
        
        C:\Windows\system32\Kofdhd32.exe
        133⤵
        
        PID:19084
        
        C:\Windows\SysWOW64\Likhem32.exe
        
        C:\Windows\system32\Likhem32.exe
        134⤵
        
        PID:19200
        
        C:\Windows\SysWOW64\Lcclncbh.exe
        
        C:\Windows\system32\Lcclncbh.exe
        135⤵
        Drops file in System32 directory
        
        PID:19380
        
        C:\Windows\SysWOW64\Lojmcdgl.exe
        
        C:\Windows\system32\Lojmcdgl.exe
        136⤵
        System Location Discovery: System Language Discovery
        
        PID:18868
        
        C:\Windows\SysWOW64\Lhcali32.exe
        
        C:\Windows\system32\Lhcali32.exe
        137⤵
        
        PID:19532
        
        C:\Windows\SysWOW64\Lchfib32.exe
        
        C:\Windows\system32\Lchfib32.exe
        138⤵
        
        PID:19696
- - C:\Users\Admin\Desktop\malwar\virussign.com_995bc33fd146fa9a78cecb5b2d23c730.vir
    virussign.com_995bc33fd146fa9a78cecb5b2d23c730.vir
    3⤵
    PID:1280
- - C:\Users\Admin\Desktop\malwar\virussign.com_9ef9fd839cef04342df03b050b307910.vir
    virussign.com_9ef9fd839cef04342df03b050b307910.vir
    3⤵
    PID:9212
- - C:\Users\Admin\Desktop\malwar\virussign.com_a48285d1556a28284a27d4fd4fdce020.vir
    virussign.com_a48285d1556a28284a27d4fd4fdce020.vir
    3⤵
    PID:17184
- - C:\Users\Admin\Desktop\malwar\virussign.com_ab3d3b615abb0fdcc26f1ebe157e3130.vir
    virussign.com_ab3d3b615abb0fdcc26f1ebe157e3130.vir
    3⤵
    PID:19440

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2056

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2436

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2020

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5092 -ip 5092
1⤵
PID:4056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2068 -ip 2068
1⤵
PID:2992

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1280 -ip 1280
1⤵
PID:4728

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:7480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry