c6f9179c5e09f5a5668680b35c8ba875cdf38df7cdbbeb14352fde9d8be28b7b

Analysis

max time kernel
84s
max time network
26s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 18:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3420e1a8010b0c0957e33532ed8b1dbc.exe
Size

19KB
MD5

3420e1a8010b0c0957e33532ed8b1dbc
SHA1

05f4bdc15c239e055690078d78e2e7d2710d997c
SHA256

c6f9179c5e09f5a5668680b35c8ba875cdf38df7cdbbeb14352fde9d8be28b7b
SHA512

7849bf3c683aaeec1762d99b77d2bfd70668ed82827c1731db660b86fa7b4053d46cc305c575047d196300cbe2368c84cb992f59aaa8a2a6b166df98dbe248c5
SSDEEP

384:6K/zPb8fSEIkgkHdbDSlQO5ATd68IP4//38LKCTYY+Z+Bdme/J:J/zz8Ddv+wZ68IPBKR+fmeh

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
2128	WNLOGON.exe
2692	ahhcnna.exe
844	qxskuew.exe
588	WNLOGON.exe
1700	slvmpfl.exe
3024	cvkxkar.exe
2004	WNLOGON.exe
1476	jsvuvge.exe
2380	vmbkhsq.exe
2068	ukxmzkz.exe
2304	gmdclwe.exe
1888	cuyvnub.exe
1812	qxqcyjb.exe
1824	famxcmk.exe
2300	srhatuq.exe
2028	WNLOGON.exe
1456	memvtad.exe
2772	zosfwsd.exe
2128	WNLOGON.exe
2568	fwkifry.exe
476	qvofpqf.exe
2856	WNLOGON.exe
1220	snfdimn.exe
2652	ajpizxq.exe
2504	WNLOGON.exe
2200	yjoltnp.exe
1532	iiailmx.exe
2364	WNLOGON.exe
2976	doqdgjm.exe
2292	drcwunq.exe
2344	WNLOGON.exe
1804	fnfgpox.exe
1668	mvtykdg.exe
2940	WNLOGON.exe
2452	oxtgwuy.exe
1372	ackbkdb.exe
1728	WNLOGON.exe
2780	dmczczj.exe
2840	kuprwot.exe
2264	WNLOGON.exe
1124	flruudc.exe
2444	psvrecc.exe
1392	WNLOGON.exe
1180	ostbexr.exe
2008	eebwikw.exe
756	WNLOGON.exe
312	voezpdm.exe
1608	nddwurv.exe
2368	WNLOGON.exe
2068	ukxmzkz.exe
2304	gmdclwe.exe
784	WNLOGON.exe
952	qeqkxhv.exe
1812	qxqcyjb.exe
1140	WNLOGON.exe
884	aucdsei.exe
2140	wodjvjb.exe
2468	WNLOGON.exe
2252	gkdkbcr.exe
2960	naycvrb.exe
2092	WNLOGON.exe
2888	nhohmie.exe
2688	klrhtpx.exe
1956	WNLOGON.exe

Loads dropped DLL 64 IoCs

pid	Process
2260	3420e1a8010b0c0957e33532ed8b1dbc.exe
2260	3420e1a8010b0c0957e33532ed8b1dbc.exe
2128	WNLOGON.exe
2128	WNLOGON.exe
2692	ahhcnna.exe
2692	ahhcnna.exe
844	qxskuew.exe
844	qxskuew.exe
588	WNLOGON.exe
588	WNLOGON.exe
1700	slvmpfl.exe
1700	slvmpfl.exe
3024	cvkxkar.exe
3024	cvkxkar.exe
2004	WNLOGON.exe
2004	WNLOGON.exe
1476	jsvuvge.exe
1476	jsvuvge.exe
2380	vmbkhsq.exe
2380	vmbkhsq.exe
2068	ukxmzkz.exe
2068	ukxmzkz.exe
2304	gmdclwe.exe
2304	gmdclwe.exe
1888	cuyvnub.exe
1888	cuyvnub.exe
1812	qxqcyjb.exe
1812	qxqcyjb.exe
1824	famxcmk.exe
1824	famxcmk.exe
2300	srhatuq.exe
2300	srhatuq.exe
2028	WNLOGON.exe
2028	WNLOGON.exe
1456	memvtad.exe
1456	memvtad.exe
2772	zosfwsd.exe
2772	zosfwsd.exe
2128	WNLOGON.exe
2128	WNLOGON.exe
2568	fwkifry.exe
2568	fwkifry.exe
476	qvofpqf.exe
476	qvofpqf.exe
2856	WNLOGON.exe
2856	WNLOGON.exe
1220	snfdimn.exe
1220	snfdimn.exe
2652	ajpizxq.exe
2652	ajpizxq.exe
2504	WNLOGON.exe
2504	WNLOGON.exe
2200	yjoltnp.exe
2200	yjoltnp.exe
1532	iiailmx.exe
1532	iiailmx.exe
2364	WNLOGON.exe
2364	WNLOGON.exe
2976	doqdgjm.exe
2976	doqdgjm.exe
2292	drcwunq.exe
2292	drcwunq.exe
2344	WNLOGON.exe
2344	WNLOGON.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "vmbkhsq.exe"	jsvuvge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "WNLOGON.exe"	iiailmx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "WNLOGON.exe"	eulphqq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "WNLOGON.exe"	fsxuqpq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "fkqnjye.exe"	WNLOGON.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "cvkxkar.exe"	slvmpfl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "qvofpqf.exe"	fwkifry.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "yjoltnp.exe"	WNLOGON.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "WNLOGON.exe"	rszfdpn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "WNLOGON.exe"	3420e1a8010b0c0957e33532ed8b1dbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "WNLOGON.exe"	inxzdbz.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "mosabrh.exe"	fkqnjye.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "alhitzn.exe"	WNLOGON.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "cwswcmy.exe"	WNLOGON.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "nujzyfq.exe"	lggpdej.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "WNLOGON.exe"	juyzqtl.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "ajpizxq.exe"	snfdimn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "WNLOGON.exe"	ajpizxq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "nddwurv.exe"	voezpdm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "rtuaood.exe"	hjfqtlp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "pilchmb.exe"	fjhxpnb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "prdixpu.exe"	kfpunwa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "jsvuvge.exe"	WNLOGON.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "WNLOGON.exe"	kuprwot.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "WNLOGON.exe"	gmdclwe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "WNLOGON.exe"	naycvrb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "ftgnkca.exe"	WNLOGON.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "WNLOGON.exe"	rtuaood.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "WNLOGON.exe"	vmbkhsq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "WNLOGON.exe"	zosfwsd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "sfoekms.exe"	WNLOGON.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "rpormza.exe"	cwswcmy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "WNLOGON.exe"	iiailmx.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "WNLOGON.exe"	gmdclwe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "WNLOGON.exe"	eulphqq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "ncddduc.exe"	euqkcxy.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "ncddduc.exe"	euqkcxy.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "raquahu.exe"	jirutsq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "drcwunq.exe"	doqdgjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "ukxmzkz.exe"	WNLOGON.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "qjcmvaa.exe"	WNLOGON.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "WNLOGON.exe"	uilbotb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "lggpdej.exe"	WNLOGON.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "WNLOGON.exe"	nksjdhr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "zosfwsd.exe"	memvtad.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "snfdimn.exe"	WNLOGON.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "mvtykdg.exe"	fnfgpox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "aebsgxj.exe"	pilchmb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "qxskuew.exe"	ahhcnna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "slvmpfl.exe"	WNLOGON.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "fwkifry.exe"	WNLOGON.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "WNLOGON.exe"	qxqcyjb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "WNLOGON.exe"	zpqputt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "ombvpyj.exe"	WNLOGON.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "WNLOGON.exe"	zosfwsd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "gmdclwe.exe"	ukxmzkz.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "bprhhew.exe"	nksjdhr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "avwqstz.exe"	ombvpyj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "supqijn.exe"	WNLOGON.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "srhatuq.exe"	famxcmk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "psvrecc.exe"	flruudc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "WNLOGON.exe"	sopknvk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winsock2 driver = "khfhncy.exe"	fkqnjye.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Winsock2 driver = "WNLOGON.exe"	rtuaood.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\rpormza.exe	cwswcmy.exe
File created	C:\WINDOWS\SysWOW64\WNLOGON.exe	WNLOGON.exe
File opened for modification	C:\WINDOWS\SysWOW64\WNLOGON.exe	rszfdpn.exe
File created	C:\WINDOWS\SysWOW64\eulphqq.exe	rhbrbmj.exe
File opened for modification	C:\WINDOWS\SysWOW64\tjtznvb.exe	ncddduc.exe
File created	C:\WINDOWS\SysWOW64\avwqstz.exe	ombvpyj.exe
File created	C:\WINDOWS\SysWOW64\WNLOGON.exe	WNLOGON.exe
File created	C:\WINDOWS\SysWOW64\WNLOGON.exe	krkdwtp.exe
File opened for modification	C:\WINDOWS\SysWOW64\WNLOGON.exe	avwqstz.exe
File opened for modification	C:\WINDOWS\SysWOW64\ahhcnna.exe	WNLOGON.exe
File created	C:\WINDOWS\SysWOW64\famxcmk.exe	qxqcyjb.exe
File opened for modification	C:\WINDOWS\SysWOW64\psvrecc.exe	flruudc.exe
File opened for modification	C:\WINDOWS\SysWOW64\sopknvk.exe	aebsgxj.exe
File created	C:\WINDOWS\SysWOW64\bboxfwp.exe	rccavxq.exe
File created	C:\WINDOWS\SysWOW64\WNLOGON.exe	3420e1a8010b0c0957e33532ed8b1dbc.exe
File created	C:\WINDOWS\SysWOW64\memvtad.exe	WNLOGON.exe
File created	C:\WINDOWS\SysWOW64\WNLOGON.exe	WNLOGON.exe
File created	C:\WINDOWS\SysWOW64\WNLOGON.exe	WNLOGON.exe
File opened for modification	C:\WINDOWS\SysWOW64\iiailmx.exe	yjoltnp.exe
File created	C:\WINDOWS\SysWOW64\mosabrh.exe	fkqnjye.exe
File created	C:\WINDOWS\SysWOW64\rtuaood.exe	hjfqtlp.exe
File opened for modification	C:\WINDOWS\SysWOW64\raquahu.exe	jirutsq.exe
File opened for modification	C:\WINDOWS\SysWOW64\sjbhbkg.exe	ftgnkca.exe
File opened for modification	C:\WINDOWS\SysWOW64\alhitzn.exe	WNLOGON.exe
File created	C:\WINDOWS\SysWOW64\lggpdej.exe	WNLOGON.exe
File created	C:\WINDOWS\SysWOW64\WNLOGON.exe	ahhcnna.exe
File created	C:\WINDOWS\SysWOW64\mvtykdg.exe	fnfgpox.exe
File created	C:\WINDOWS\SysWOW64\WNLOGON.exe	flruudc.exe
File created	C:\WINDOWS\SysWOW64\WNLOGON.exe	avwqstz.exe
File opened for modification	C:\WINDOWS\SysWOW64\sfoekms.exe	WNLOGON.exe
File opened for modification	C:\WINDOWS\SysWOW64\WNLOGON.exe	fsxuqpq.exe
File opened for modification	C:\WINDOWS\SysWOW64\rccavxq.exe	WNLOGON.exe
File created	C:\WINDOWS\SysWOW64\alhitzn.exe	WNLOGON.exe
File opened for modification	C:\WINDOWS\SysWOW64\cuyvnub.exe	gmdclwe.exe
File opened for modification	C:\WINDOWS\SysWOW64\qeqkxhv.exe	WNLOGON.exe
File opened for modification	C:\WINDOWS\SysWOW64\WNLOGON.exe	wodjvjb.exe
File created	C:\WINDOWS\SysWOW64\WNLOGON.exe	gkdkbcr.exe
File opened for modification	C:\WINDOWS\SysWOW64\WNLOGON.exe	wvwnpxo.exe
File created	C:\WINDOWS\SysWOW64\cdjmizo.exe	qjcmvaa.exe
File created	C:\WINDOWS\SysWOW64\jirutsq.exe	WNLOGON.exe
File opened for modification	C:\WINDOWS\SysWOW64\WNLOGON.exe	ilcesbj.exe
File opened for modification	C:\WINDOWS\SysWOW64\qxskuew.exe	ahhcnna.exe
File opened for modification	C:\WINDOWS\SysWOW64\bprhhew.exe	nksjdhr.exe
File created	C:\WINDOWS\SysWOW64\WNLOGON.exe	WNLOGON.exe
File created	C:\WINDOWS\SysWOW64\pilchmb.exe	fjhxpnb.exe
File created	C:\WINDOWS\SysWOW64\WNLOGON.exe	kfpunwa.exe
File opened for modification	C:\WINDOWS\SysWOW64\WNLOGON.exe	nddwurv.exe
File created	C:\WINDOWS\SysWOW64\qxqcyjb.exe	qeqkxhv.exe
File created	C:\WINDOWS\SysWOW64\fsxuqpq.exe	sfoekms.exe
File created	C:\WINDOWS\SysWOW64\hjfqtlp.exe	WNLOGON.exe
File created	C:\WINDOWS\SysWOW64\raquahu.exe	jirutsq.exe
File created	C:\WINDOWS\SysWOW64\lzvuicn.exe	WNLOGON.exe
File opened for modification	C:\WINDOWS\SysWOW64\ombvpyj.exe	WNLOGON.exe
File opened for modification	C:\WINDOWS\SysWOW64\WNLOGON.exe	exprxqv.exe
File opened for modification	C:\WINDOWS\SysWOW64\WNLOGON.exe	nksjdhr.exe
File created	C:\WINDOWS\SysWOW64\WNLOGON.exe	pilchmb.exe
File opened for modification	C:\WINDOWS\SysWOW64\WNLOGON.exe	WNLOGON.exe
File created	C:\WINDOWS\SysWOW64\WNLOGON.exe	WNLOGON.exe
File created	C:\WINDOWS\SysWOW64\WNLOGON.exe	WNLOGON.exe
File created	C:\WINDOWS\SysWOW64\drcwunq.exe	doqdgjm.exe
File opened for modification	C:\WINDOWS\SysWOW64\WNLOGON.exe	mvtykdg.exe
File opened for modification	C:\WINDOWS\SysWOW64\kuprwot.exe	dmczczj.exe
File opened for modification	C:\WINDOWS\SysWOW64\gmdclwe.exe	ukxmzkz.exe
File created	C:\WINDOWS\SysWOW64\WNLOGON.exe	WNLOGON.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 2128	2260	3420e1a8010b0c0957e33532ed8b1dbc.exe	28
PID 2260 wrote to memory of 2128	2260	3420e1a8010b0c0957e33532ed8b1dbc.exe	28
PID 2260 wrote to memory of 2128	2260	3420e1a8010b0c0957e33532ed8b1dbc.exe	28
PID 2260 wrote to memory of 2128	2260	3420e1a8010b0c0957e33532ed8b1dbc.exe	28
PID 2128 wrote to memory of 2692	2128	WNLOGON.exe	32
PID 2128 wrote to memory of 2692	2128	WNLOGON.exe	32
PID 2128 wrote to memory of 2692	2128	WNLOGON.exe	32
PID 2128 wrote to memory of 2692	2128	WNLOGON.exe	32
PID 2692 wrote to memory of 844	2692	ahhcnna.exe	31
PID 2692 wrote to memory of 844	2692	ahhcnna.exe	31
PID 2692 wrote to memory of 844	2692	ahhcnna.exe	31
PID 2692 wrote to memory of 844	2692	ahhcnna.exe	31
PID 844 wrote to memory of 588	844	qxskuew.exe	30
PID 844 wrote to memory of 588	844	qxskuew.exe	30
PID 844 wrote to memory of 588	844	qxskuew.exe	30
PID 844 wrote to memory of 588	844	qxskuew.exe	30
PID 588 wrote to memory of 1700	588	WNLOGON.exe	29
PID 588 wrote to memory of 1700	588	WNLOGON.exe	29
PID 588 wrote to memory of 1700	588	WNLOGON.exe	29
PID 588 wrote to memory of 1700	588	WNLOGON.exe	29
PID 1700 wrote to memory of 3024	1700	slvmpfl.exe	33
PID 1700 wrote to memory of 3024	1700	slvmpfl.exe	33
PID 1700 wrote to memory of 3024	1700	slvmpfl.exe	33
PID 1700 wrote to memory of 3024	1700	slvmpfl.exe	33
PID 3024 wrote to memory of 2004	3024	cvkxkar.exe	34
PID 3024 wrote to memory of 2004	3024	cvkxkar.exe	34
PID 3024 wrote to memory of 2004	3024	cvkxkar.exe	34
PID 3024 wrote to memory of 2004	3024	cvkxkar.exe	34
PID 2004 wrote to memory of 1476	2004	WNLOGON.exe	35
PID 2004 wrote to memory of 1476	2004	WNLOGON.exe	35
PID 2004 wrote to memory of 1476	2004	WNLOGON.exe	35
PID 2004 wrote to memory of 1476	2004	WNLOGON.exe	35
PID 1476 wrote to memory of 2380	1476	jsvuvge.exe	36
PID 1476 wrote to memory of 2380	1476	jsvuvge.exe	36
PID 1476 wrote to memory of 2380	1476	jsvuvge.exe	36
PID 1476 wrote to memory of 2380	1476	jsvuvge.exe	36
PID 2380 wrote to memory of 2068	2380	vmbkhsq.exe	79
PID 2380 wrote to memory of 2068	2380	vmbkhsq.exe	79
PID 2380 wrote to memory of 2068	2380	vmbkhsq.exe	79
PID 2380 wrote to memory of 2068	2380	vmbkhsq.exe	79
PID 2068 wrote to memory of 2304	2068	ukxmzkz.exe	80
PID 2068 wrote to memory of 2304	2068	ukxmzkz.exe	80
PID 2068 wrote to memory of 2304	2068	ukxmzkz.exe	80
PID 2068 wrote to memory of 2304	2068	ukxmzkz.exe	80
PID 2304 wrote to memory of 1888	2304	gmdclwe.exe	40
PID 2304 wrote to memory of 1888	2304	gmdclwe.exe	40
PID 2304 wrote to memory of 1888	2304	gmdclwe.exe	40
PID 2304 wrote to memory of 1888	2304	gmdclwe.exe	40
PID 1888 wrote to memory of 1812	1888	cuyvnub.exe	83
PID 1888 wrote to memory of 1812	1888	cuyvnub.exe	83
PID 1888 wrote to memory of 1812	1888	cuyvnub.exe	83
PID 1888 wrote to memory of 1812	1888	cuyvnub.exe	83
PID 1812 wrote to memory of 1824	1812	qxqcyjb.exe	41
PID 1812 wrote to memory of 1824	1812	qxqcyjb.exe	41
PID 1812 wrote to memory of 1824	1812	qxqcyjb.exe	41
PID 1812 wrote to memory of 1824	1812	qxqcyjb.exe	41
PID 1824 wrote to memory of 2300	1824	famxcmk.exe	43
PID 1824 wrote to memory of 2300	1824	famxcmk.exe	43
PID 1824 wrote to memory of 2300	1824	famxcmk.exe	43
PID 1824 wrote to memory of 2300	1824	famxcmk.exe	43
PID 2300 wrote to memory of 2028	2300	srhatuq.exe	45
PID 2300 wrote to memory of 2028	2300	srhatuq.exe	45
PID 2300 wrote to memory of 2028	2300	srhatuq.exe	45
PID 2300 wrote to memory of 2028	2300	srhatuq.exe	45

C:\Users\Admin\AppData\Local\Temp\3420e1a8010b0c0957e33532ed8b1dbc.exe
"C:\Users\Admin\AppData\Local\Temp\3420e1a8010b0c0957e33532ed8b1dbc.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2260
- C:\WINDOWS\SysWOW64\WNLOGON.exe
  "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\USERS\ADMIN\APPDATA\LOCAL\TEMP\3420E1A8010B0C0957E33532ED8B1DBC.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\WINDOWS\SysWOW64\ahhcnna.exe
    "C:\WINDOWS\SYSTEM32\ahhcnna.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:2692

C:\WINDOWS\SysWOW64\slvmpfl.exe
"C:\WINDOWS\SYSTEM32\slvmpfl.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1700
- C:\WINDOWS\SysWOW64\cvkxkar.exe
  "C:\WINDOWS\SYSTEM32\cvkxkar.exe" mElTC:\WINDOWS\SYSWOW64\SLVMPFL.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\WINDOWS\SysWOW64\WNLOGON.exe
    "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\CVKXKAR.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2004
  - - C:\WINDOWS\SysWOW64\jsvuvge.exe
      "C:\WINDOWS\SYSTEM32\jsvuvge.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1476
    - - C:\WINDOWS\SysWOW64\vmbkhsq.exe
        
        "C:\WINDOWS\SYSTEM32\vmbkhsq.exe" mElTC:\WINDOWS\SYSWOW64\JSVUVGE.EXE
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2380
      - C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\VMBKHSQ.EXE
        6⤵
        
        PID:2068
        
        C:\WINDOWS\SysWOW64\vbzpyat.exe
        
        "C:\WINDOWS\SYSTEM32\vbzpyat.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        7⤵
        
        PID:2304
        
        C:\WINDOWS\SysWOW64\cuyvnub.exe
        
        "C:\WINDOWS\SYSTEM32\cuyvnub.exe" mElTC:\WINDOWS\SYSWOW64\VBZPYAT.EXE
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1888

C:\WINDOWS\SysWOW64\WNLOGON.exe
"C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\QXSKUEW.EXE
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:588

C:\WINDOWS\SysWOW64\qxskuew.exe
"C:\WINDOWS\SYSTEM32\qxskuew.exe" mElTC:\WINDOWS\SYSWOW64\AHHCNNA.EXE
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:844

C:\WINDOWS\SysWOW64\WNLOGON.exe
"C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\CUYVNUB.EXE
1⤵
PID:1812
- C:\WINDOWS\SysWOW64\famxcmk.exe
  "C:\WINDOWS\SYSTEM32\famxcmk.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1824
- - C:\WINDOWS\SysWOW64\srhatuq.exe
    "C:\WINDOWS\SYSTEM32\srhatuq.exe" mElTC:\WINDOWS\SYSWOW64\FAMXCMK.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2300
  - - C:\WINDOWS\SysWOW64\WNLOGON.exe
      "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\SRHATUQ.EXE
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      PID:2028
    - - C:\WINDOWS\SysWOW64\memvtad.exe
        
        "C:\WINDOWS\SYSTEM32\memvtad.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:1456
      - C:\WINDOWS\SysWOW64\zosfwsd.exe
        
        "C:\WINDOWS\SYSTEM32\zosfwsd.exe" mElTC:\WINDOWS\SYSWOW64\MEMVTAD.EXE
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2772
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\ZOSFWSD.EXE
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2128
        
        C:\WINDOWS\SysWOW64\fwkifry.exe
        
        "C:\WINDOWS\SYSTEM32\fwkifry.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2568
        
        C:\WINDOWS\SysWOW64\qvofpqf.exe
        
        "C:\WINDOWS\SYSTEM32\qvofpqf.exe" mElTC:\WINDOWS\SYSWOW64\FWKIFRY.EXE
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:476
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\QVOFPQF.EXE
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2856
        
        C:\WINDOWS\SysWOW64\snfdimn.exe
        
        "C:\WINDOWS\SYSTEM32\snfdimn.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:1220
        
        C:\WINDOWS\SysWOW64\ajpizxq.exe
        
        "C:\WINDOWS\SYSTEM32\ajpizxq.exe" mElTC:\WINDOWS\SYSWOW64\SNFDIMN.EXE
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2652
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\AJPIZXQ.EXE
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2504
        
        C:\WINDOWS\SysWOW64\yjoltnp.exe
        
        "C:\WINDOWS\SYSTEM32\yjoltnp.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2200
        
        C:\WINDOWS\SysWOW64\iiailmx.exe
        
        "C:\WINDOWS\SYSTEM32\iiailmx.exe" mElTC:\WINDOWS\SYSWOW64\YJOLTNP.EXE
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:1532
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\IIAILMX.EXE
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2364
        
        C:\WINDOWS\SysWOW64\doqdgjm.exe
        
        "C:\WINDOWS\SYSTEM32\doqdgjm.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2976
        
        C:\WINDOWS\SysWOW64\drcwunq.exe
        
        "C:\WINDOWS\SYSTEM32\drcwunq.exe" mElTC:\WINDOWS\SYSWOW64\DOQDGJM.EXE
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2292
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\DRCWUNQ.EXE
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2344
        
        C:\WINDOWS\SysWOW64\fnfgpox.exe
        
        "C:\WINDOWS\SYSTEM32\fnfgpox.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        20⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1804
        
        C:\WINDOWS\SysWOW64\mvtykdg.exe
        
        "C:\WINDOWS\SYSTEM32\mvtykdg.exe" mElTC:\WINDOWS\SYSWOW64\FNFGPOX.EXE
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1668
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\MVTYKDG.EXE
        22⤵
        Executes dropped EXE
        
        PID:2940
        
        C:\WINDOWS\SysWOW64\oxtgwuy.exe
        
        "C:\WINDOWS\SYSTEM32\oxtgwuy.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        23⤵
        Executes dropped EXE
        
        PID:2452
        
        C:\WINDOWS\SysWOW64\ackbkdb.exe
        
        "C:\WINDOWS\SYSTEM32\ackbkdb.exe" mElTC:\WINDOWS\SYSWOW64\OXTGWUY.EXE
        24⤵
        Executes dropped EXE
        
        PID:1372
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\ACKBKDB.EXE
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1728
        
        C:\WINDOWS\SysWOW64\dmczczj.exe
        
        "C:\WINDOWS\SYSTEM32\dmczczj.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2780
        
        C:\WINDOWS\SysWOW64\kuprwot.exe
        
        "C:\WINDOWS\SYSTEM32\kuprwot.exe" mElTC:\WINDOWS\SYSWOW64\DMCZCZJ.EXE
        27⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2840
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\KUPRWOT.EXE
        28⤵
        Executes dropped EXE
        
        PID:2264
        
        C:\WINDOWS\SysWOW64\flruudc.exe
        
        "C:\WINDOWS\SYSTEM32\flruudc.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        29⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1124
        
        C:\WINDOWS\SysWOW64\psvrecc.exe
        
        "C:\WINDOWS\SYSTEM32\psvrecc.exe" mElTC:\WINDOWS\SYSWOW64\FLRUUDC.EXE
        30⤵
        Executes dropped EXE
        
        PID:2444
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\PSVRECC.EXE
        31⤵
        Executes dropped EXE
        
        PID:1392
        
        C:\WINDOWS\SysWOW64\ostbexr.exe
        
        "C:\WINDOWS\SYSTEM32\ostbexr.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        32⤵
        Executes dropped EXE
        
        PID:1180
        
        C:\WINDOWS\SysWOW64\eebwikw.exe
        
        "C:\WINDOWS\SYSTEM32\eebwikw.exe" mElTC:\WINDOWS\SYSWOW64\OSTBEXR.EXE
        33⤵
        Executes dropped EXE
        
        PID:2008
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\EEBWIKW.EXE
        34⤵
        Executes dropped EXE
        
        PID:756
        
        C:\WINDOWS\SysWOW64\voezpdm.exe
        
        "C:\WINDOWS\SYSTEM32\voezpdm.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        35⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:312
        
        C:\WINDOWS\SysWOW64\nddwurv.exe
        
        "C:\WINDOWS\SYSTEM32\nddwurv.exe" mElTC:\WINDOWS\SYSWOW64\VOEZPDM.EXE
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1608
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\NDDWURV.EXE
        37⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2368
        
        C:\WINDOWS\SysWOW64\ukxmzkz.exe
        
        "C:\WINDOWS\SYSTEM32\ukxmzkz.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        38⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\WINDOWS\SysWOW64\gmdclwe.exe
        
        "C:\WINDOWS\SYSTEM32\gmdclwe.exe" mElTC:\WINDOWS\SYSWOW64\UKXMZKZ.EXE
        39⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2304
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\GMDCLWE.EXE
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:784
        
        C:\WINDOWS\SysWOW64\qeqkxhv.exe
        
        "C:\WINDOWS\SYSTEM32\qeqkxhv.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        41⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:952
        
        C:\WINDOWS\SysWOW64\qxqcyjb.exe
        
        "C:\WINDOWS\SYSTEM32\qxqcyjb.exe" mElTC:\WINDOWS\SYSWOW64\QEQKXHV.EXE
        42⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\QXQCYJB.EXE
        43⤵
        Executes dropped EXE
        
        PID:1140
        
        C:\WINDOWS\SysWOW64\aucdsei.exe
        
        "C:\WINDOWS\SYSTEM32\aucdsei.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        44⤵
        Executes dropped EXE
        
        PID:884
        
        C:\WINDOWS\SysWOW64\wodjvjb.exe
        
        "C:\WINDOWS\SYSTEM32\wodjvjb.exe" mElTC:\WINDOWS\SYSWOW64\AUCDSEI.EXE
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2140
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\WODJVJB.EXE
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2468
        
        C:\WINDOWS\SysWOW64\gkdkbcr.exe
        
        "C:\WINDOWS\SYSTEM32\gkdkbcr.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        47⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2252
        
        C:\WINDOWS\SysWOW64\naycvrb.exe
        
        "C:\WINDOWS\SYSTEM32\naycvrb.exe" mElTC:\WINDOWS\SYSWOW64\GKDKBCR.EXE
        48⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2960
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\NAYCVRB.EXE
        49⤵
        Executes dropped EXE
        
        PID:2092
        
        C:\WINDOWS\SysWOW64\nhohmie.exe
        
        "C:\WINDOWS\SYSTEM32\nhohmie.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        50⤵
        Executes dropped EXE
        
        PID:2888
        
        C:\WINDOWS\SysWOW64\klrhtpx.exe
        
        "C:\WINDOWS\SYSTEM32\klrhtpx.exe" mElTC:\WINDOWS\SYSWOW64\NHOHMIE.EXE
        51⤵
        Executes dropped EXE
        
        PID:2688
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\KLRHTPX.EXE
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1956
        
        C:\WINDOWS\SysWOW64\lzvuicn.exe
        
        "C:\WINDOWS\SYSTEM32\lzvuicn.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        53⤵
        
        PID:1036
        
        C:\WINDOWS\SysWOW64\wvwnpxo.exe
        
        "C:\WINDOWS\SYSTEM32\wvwnpxo.exe" mElTC:\WINDOWS\SYSWOW64\LZVUICN.EXE
        54⤵
        Drops file in System32 directory
        
        PID:1644
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\WVWNPXO.EXE
        55⤵
        
        PID:1148
        
        C:\WINDOWS\SysWOW64\aebsgxj.exe
        
        "C:\WINDOWS\SYSTEM32\aebsgxj.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        56⤵
        Drops file in System32 directory
        
        PID:2032
        
        C:\WINDOWS\SysWOW64\sopknvk.exe
        
        "C:\WINDOWS\SYSTEM32\sopknvk.exe" mElTC:\WINDOWS\SYSWOW64\AEBSGXJ.EXE
        57⤵
        Adds Run key to start application
        
        PID:2324
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\SOPKNVK.EXE
        58⤵
        
        PID:3004
        
        C:\WINDOWS\SysWOW64\rszfdpn.exe
        
        "C:\WINDOWS\SYSTEM32\rszfdpn.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        59⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1504
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\RSZFDPN.EXE
        60⤵
        
        PID:2384
        
        C:\WINDOWS\SysWOW64\bprhhew.exe
        
        "C:\WINDOWS\SYSTEM32\bprhhew.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        61⤵
        
        PID:2228
        
        C:\WINDOWS\SysWOW64\ilcesbj.exe
        
        "C:\WINDOWS\SYSTEM32\ilcesbj.exe" mElTC:\WINDOWS\SYSWOW64\BPRHHEW.EXE
        62⤵
        Drops file in System32 directory
        
        PID:1660
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\ILCESBJ.EXE
        63⤵
        
        PID:1928
        
        C:\WINDOWS\SysWOW64\khfhncy.exe
        
        "C:\WINDOWS\SYSTEM32\khfhncy.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        64⤵
        
        PID:2232
        
        C:\WINDOWS\SysWOW64\zpqputt.exe
        
        "C:\WINDOWS\SYSTEM32\zpqputt.exe" mElTC:\WINDOWS\SYSWOW64\KHFHNCY.EXE
        65⤵
        Adds Run key to start application
        
        PID:2872
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\ZPQPUTT.EXE
        66⤵
        
        PID:2836
        
        C:\WINDOWS\SysWOW64\rhbrbmj.exe
        
        "C:\WINDOWS\SYSTEM32\rhbrbmj.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        67⤵
        Drops file in System32 directory
        
        PID:2416
        
        C:\WINDOWS\SysWOW64\eulphqq.exe
        
        "C:\WINDOWS\SYSTEM32\eulphqq.exe" mElTC:\WINDOWS\SYSWOW64\RHBRBMJ.EXE
        68⤵
        Adds Run key to start application
        
        PID:2568
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\EULPHQQ.EXE
        69⤵
        
        PID:780
        
        C:\WINDOWS\SysWOW64\dtizhlf.exe
        
        "C:\WINDOWS\SYSTEM32\dtizhlf.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        70⤵
        
        PID:2156
        
        C:\WINDOWS\SysWOW64\tjtznvb.exe
        
        "C:\WINDOWS\SYSTEM32\tjtznvb.exe" mElTC:\WINDOWS\SYSWOW64\DTIZHLF.EXE
        71⤵
        
        PID:1392
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\TJTZNVB.EXE
        72⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1700
        
        C:\WINDOWS\SysWOW64\sfoekms.exe
        
        "C:\WINDOWS\SYSTEM32\sfoekms.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        73⤵
        Drops file in System32 directory
        
        PID:2008
        
        C:\WINDOWS\SysWOW64\fsxuqpq.exe
        
        "C:\WINDOWS\SYSTEM32\fsxuqpq.exe" mElTC:\WINDOWS\SYSWOW64\SFOEKMS.EXE
        74⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1100
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\FSXUQPQ.EXE
        75⤵
        Adds Run key to start application
        
        PID:2172
        
        C:\WINDOWS\SysWOW64\ftgnkca.exe
        
        "C:\WINDOWS\SYSTEM32\ftgnkca.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        76⤵
        Drops file in System32 directory
        
        PID:2272
        
        C:\WINDOWS\SysWOW64\sjbhbkg.exe
        
        "C:\WINDOWS\SYSTEM32\sjbhbkg.exe" mElTC:\WINDOWS\SYSWOW64\FTGNKCA.EXE
        77⤵
        
        PID:3044
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\SJBHBKG.EXE
        78⤵
        
        PID:1652
        
        C:\WINDOWS\SysWOW64\rccavxq.exe
        
        "C:\WINDOWS\SYSTEM32\rccavxq.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        79⤵
        Drops file in System32 directory
        
        PID:3004
        
        C:\WINDOWS\SysWOW64\bboxfwp.exe
        
        "C:\WINDOWS\SYSTEM32\bboxfwp.exe" mElTC:\WINDOWS\SYSWOW64\RCCAVXQ.EXE
        80⤵
        
        PID:1168
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\BBOXFWP.EXE
        81⤵
        
        PID:1212
        
        C:\WINDOWS\SysWOW64\ttrinof.exe
        
        "C:\WINDOWS\SYSTEM32\ttrinof.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        82⤵
        
        PID:2132
        
        C:\WINDOWS\SysWOW64\hujnqzz.exe
        
        "C:\WINDOWS\SYSTEM32\hujnqzz.exe" mElTC:\WINDOWS\SYSWOW64\TTRINOF.EXE
        83⤵
        
        PID:616
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\HUJNQZZ.EXE
        84⤵
        Adds Run key to start application
        
        PID:2220
        
        C:\WINDOWS\SysWOW64\fkqnjye.exe
        
        "C:\WINDOWS\SYSTEM32\fkqnjye.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        85⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1928
        
        C:\WINDOWS\SysWOW64\mosabrh.exe
        
        "C:\WINDOWS\SYSTEM32\mosabrh.exe" mElTC:\WINDOWS\SYSWOW64\FKQNJYE.EXE
        86⤵
        
        PID:2084
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\MOSABRH.EXE
        87⤵
        Drops file in System32 directory
        
        PID:2844
        
        C:\WINDOWS\SysWOW64\hjfqtlp.exe
        
        "C:\WINDOWS\SYSTEM32\hjfqtlp.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        88⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2836
        
        C:\WINDOWS\SysWOW64\rtuaood.exe
        
        "C:\WINDOWS\SYSTEM32\rtuaood.exe" mElTC:\WINDOWS\SYSWOW64\HJFQTLP.EXE
        89⤵
        Adds Run key to start application
        
        PID:1124
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\RTUAOOD.EXE
        90⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1404
        
        C:\WINDOWS\SysWOW64\alhitzn.exe
        
        "C:\WINDOWS\SYSTEM32\alhitzn.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        91⤵
        
        PID:780
        
        C:\WINDOWS\SysWOW64\ncddduc.exe
        
        "C:\WINDOWS\SYSTEM32\ncddduc.exe" mElTC:\WINDOWS\SYSWOW64\ALHITZN.EXE
        92⤵
        Drops file in System32 directory
        
        PID:2156
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\NCDDDUC.EXE
        93⤵
        Drops file in System32 directory
        
        PID:1392
        
        C:\WINDOWS\SysWOW64\krkdwtp.exe
        
        "C:\WINDOWS\SYSTEM32\krkdwtp.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        94⤵
        Drops file in System32 directory
        
        PID:1768
        
        C:\WINDOWS\SysWOW64\rljitvy.exe
        
        "C:\WINDOWS\SYSTEM32\rljitvy.exe" mElTC:\WINDOWS\SYSWOW64\KRKDWTP.EXE
        95⤵
        
        PID:1576
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\RLJITVY.EXE
        96⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2364
        
        C:\WINDOWS\SysWOW64\ombvpyj.exe
        
        "C:\WINDOWS\SYSTEM32\ombvpyj.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        97⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1528
        
        C:\WINDOWS\SysWOW64\avwqstz.exe
        
        "C:\WINDOWS\SYSTEM32\avwqstz.exe" mElTC:\WINDOWS\SYSWOW64\OMBVPYJ.EXE
        98⤵
        Drops file in System32 directory
        
        PID:1036
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\AVWQSTZ.EXE
        99⤵
        
        PID:1268
        
        C:\WINDOWS\SysWOW64\pzdgxov.exe
        
        "C:\WINDOWS\SYSTEM32\pzdgxov.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        100⤵
        
        PID:1500
        
        C:\WINDOWS\SysWOW64\uilbotb.exe
        
        "C:\WINDOWS\SYSTEM32\uilbotb.exe" mElTC:\WINDOWS\SYSWOW64\PZDGXOV.EXE
        101⤵
        Adds Run key to start application
        
        PID:2544
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\UILBOTB.EXE
        102⤵
        Adds Run key to start application
        
        PID:1936
        
        C:\WINDOWS\SysWOW64\qjcmvaa.exe
        
        "C:\WINDOWS\SYSTEM32\qjcmvaa.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        103⤵
        Drops file in System32 directory
        
        PID:1140
        
        C:\WINDOWS\SysWOW64\cdjmizo.exe
        
        "C:\WINDOWS\SYSTEM32\cdjmizo.exe" mElTC:\WINDOWS\SYSWOW64\QJCMVAA.EXE
        104⤵
        
        PID:2828
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\CDJMIZO.EXE
        105⤵
        Adds Run key to start application
        
        PID:1456
        
        C:\WINDOWS\SysWOW64\cwswcmy.exe
        
        "C:\WINDOWS\SYSTEM32\cwswcmy.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        106⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2784
        
        C:\WINDOWS\SysWOW64\rpormza.exe
        
        "C:\WINDOWS\SYSTEM32\rpormza.exe" mElTC:\WINDOWS\SYSWOW64\CWSWCMY.EXE
        107⤵
        
        PID:2736
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\RPORMZA.EXE
        108⤵
        Drops file in System32 directory
        
        PID:2468
        
        C:\WINDOWS\SysWOW64\jirutsq.exe
        
        "C:\WINDOWS\SYSTEM32\jirutsq.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        109⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2136
        
        C:\WINDOWS\SysWOW64\raquahu.exe
        
        "C:\WINDOWS\SYSTEM32\raquahu.exe" mElTC:\WINDOWS\SYSWOW64\JIRUTSQ.EXE
        110⤵
        
        PID:1484
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\RAQUAHU.EXE
        111⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2768
        
        C:\WINDOWS\SysWOW64\lggpdej.exe
        
        "C:\WINDOWS\SYSTEM32\lggpdej.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        112⤵
        Adds Run key to start application
        
        PID:2012
        
        C:\WINDOWS\SysWOW64\nujzyfq.exe
        
        "C:\WINDOWS\SYSTEM32\nujzyfq.exe" mElTC:\WINDOWS\SYSWOW64\LGGPDEJ.EXE
        113⤵
        
        PID:1712
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\NUJZYFQ.EXE
        114⤵
        
        PID:568
        
        C:\WINDOWS\SysWOW64\fjhxpnb.exe
        
        "C:\WINDOWS\SYSTEM32\fjhxpnb.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        115⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1104
        
        C:\WINDOWS\SysWOW64\pilchmb.exe
        
        "C:\WINDOWS\SYSTEM32\pilchmb.exe" mElTC:\WINDOWS\SYSWOW64\FJHXPNB.EXE
        116⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1148
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\PILCHMB.EXE
        117⤵
        Drops file in System32 directory
        
        PID:1144
        
        C:\WINDOWS\SysWOW64\kfpunwa.exe
        
        "C:\WINDOWS\SYSTEM32\kfpunwa.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        118⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:440
        
        C:\WINDOWS\SysWOW64\prdixpu.exe
        
        "C:\WINDOWS\SYSTEM32\prdixpu.exe" mElTC:\WINDOWS\SYSWOW64\KFPUNWA.EXE
        119⤵
        
        PID:2088
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\PRDIXPU.EXE
        120⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1652
        
        C:\WINDOWS\SysWOW64\supqijn.exe
        
        "C:\WINDOWS\SYSTEM32\supqijn.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        121⤵
        
        PID:1992
        
        C:\WINDOWS\SysWOW64\nksjdhr.exe
        
        "C:\WINDOWS\SYSTEM32\nksjdhr.exe" mElTC:\WINDOWS\SYSWOW64\SUPQIJN.EXE
        122⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2384
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\NKSJDHR.EXE
        123⤵
        
        PID:2796
        
        C:\WINDOWS\SysWOW64\inxzdbz.exe
        
        "C:\WINDOWS\SYSTEM32\inxzdbz.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        124⤵
        Adds Run key to start application
        
        PID:616
        
        C:\WINDOWS\SysWOW64\xgummpb.exe
        
        "C:\WINDOWS\SYSTEM32\xgummpb.exe" mElTC:\WINDOWS\SYSWOW64\INXZDBZ.EXE
        125⤵
        
        PID:2392
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\XGUMMPB.EXE
        126⤵
        
        PID:2824
        
        C:\WINDOWS\SysWOW64\gfvcwry.exe
        
        "C:\WINDOWS\SYSTEM32\gfvcwry.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        127⤵
        
        PID:2716
        
        C:\WINDOWS\SysWOW64\gxwmqdi.exe
        
        "C:\WINDOWS\SYSTEM32\gxwmqdi.exe" mElTC:\WINDOWS\SYSWOW64\GFVCWRY.EXE
        128⤵
        
        PID:2952
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\GXWMQDI.EXE
        129⤵
        
        PID:272
        
        C:\WINDOWS\SysWOW64\awvznoz.exe
        
        "C:\WINDOWS\SYSTEM32\awvznoz.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        130⤵
        
        PID:2636
        
        C:\WINDOWS\SysWOW64\nmqcwwf.exe
        
        "C:\WINDOWS\SYSTEM32\nmqcwwf.exe" mElTC:\WINDOWS\SYSWOW64\AWVZNOZ.EXE
        131⤵
        
        PID:696
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\NMQCWWF.EXE
        132⤵
        
        PID:2916
        
        C:\WINDOWS\SysWOW64\euqkcxy.exe
        
        "C:\WINDOWS\SYSTEM32\euqkcxy.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        133⤵
        Adds Run key to start application
        
        PID:780
        
        C:\WINDOWS\SysWOW64\otdhnvf.exe
        
        "C:\WINDOWS\SYSTEM32\otdhnvf.exe" mElTC:\WINDOWS\SYSWOW64\EUQKCXY.EXE
        134⤵
        
        PID:1088
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\OTDHNVF.EXE
        135⤵
        
        PID:2276
        
        C:\WINDOWS\SysWOW64\dqmvlvm.exe
        
        "C:\WINDOWS\SYSTEM32\dqmvlvm.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        136⤵
        
        PID:1644
        
        C:\WINDOWS\SysWOW64\lfznflv.exe
        
        "C:\WINDOWS\SYSTEM32\lfznflv.exe" mElTC:\WINDOWS\SYSWOW64\DQMVLVM.EXE
        137⤵
        
        PID:1032
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\LFZNFLV.EXE
        138⤵
        
        PID:2596
        
        C:\WINDOWS\SysWOW64\keohkvi.exe
        
        "C:\WINDOWS\SYSTEM32\keohkvi.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        139⤵
        
        PID:2148
        
        C:\WINDOWS\SysWOW64\wiyfiin.exe
        
        "C:\WINDOWS\SYSTEM32\wiyfiin.exe" mElTC:\WINDOWS\SYSWOW64\KEOHKVI.EXE
        140⤵
        
        PID:3008
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\WIYFIIN.EXE
        141⤵
        
        PID:2396
        
        C:\WINDOWS\SysWOW64\rfbydhr.exe
        
        "C:\WINDOWS\SYSTEM32\rfbydhr.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        142⤵
        
        PID:996
        
        C:\WINDOWS\SysWOW64\gzytmdt.exe
        
        "C:\WINDOWS\SYSTEM32\gzytmdt.exe" mElTC:\WINDOWS\SYSWOW64\RFBYDHR.EXE
        143⤵
        
        PID:1624
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\GZYTMDT.EXE
        144⤵
        
        PID:1840
        
        C:\WINDOWS\SysWOW64\ifbobqs.exe
        
        "C:\WINDOWS\SYSTEM32\ifbobqs.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        145⤵
        
        PID:1092
        
        C:\WINDOWS\SysWOW64\stdqlxc.exe
        
        "C:\WINDOWS\SYSTEM32\stdqlxc.exe" mElTC:\WINDOWS\SYSWOW64\IFBOBQS.EXE
        146⤵
        
        PID:2280
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\STDQLXC.EXE
        147⤵
        
        PID:892
        
        C:\WINDOWS\SysWOW64\puvvhio.exe
        
        "C:\WINDOWS\SYSTEM32\puvvhio.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        148⤵
        
        PID:2592
        
        C:\WINDOWS\SysWOW64\bwblans.exe
        
        "C:\WINDOWS\SYSTEM32\bwblans.exe" mElTC:\WINDOWS\SYSWOW64\PUVVHIO.EXE
        149⤵
        
        PID:2288
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\BWBLANS.EXE
        150⤵
        
        PID:2564
        
        C:\WINDOWS\SysWOW64\jalykgv.exe
        
        "C:\WINDOWS\SYSTEM32\jalykgv.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        151⤵
        
        PID:844
        
        C:\WINDOWS\SysWOW64\qizqevf.exe
        
        "C:\WINDOWS\SYSTEM32\qizqevf.exe" mElTC:\WINDOWS\SYSWOW64\JALYKGV.EXE
        152⤵
        
        PID:2640
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\QIZQEVF.EXE
        153⤵
        
        PID:984
        
        C:\WINDOWS\SysWOW64\lcegwon.exe
        
        "C:\WINDOWS\SYSTEM32\lcegwon.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        154⤵
        
        PID:1724
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\LCEGWON.EXE
        155⤵
        
        PID:2560
        
        C:\WINDOWS\SysWOW64\zvyenyf.exe
        
        "C:\WINDOWS\SYSTEM32\zvyenyf.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        156⤵
        
        PID:2532
        
        C:\WINDOWS\SysWOW64\pljlmpi.exe
        
        "C:\WINDOWS\SYSTEM32\pljlmpi.exe" mElTC:\WINDOWS\SYSWOW64\ZVYENYF.EXE
        157⤵
        
        PID:2332
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\PLJLMPI.EXE
        158⤵
        
        PID:2496
        
        C:\WINDOWS\SysWOW64\exprxqv.exe
        
        "C:\WINDOWS\SYSTEM32\exprxqv.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        159⤵
        Drops file in System32 directory
        
        PID:1148
        
        C:\WINDOWS\SysWOW64\dfogjtq.exe
        
        "C:\WINDOWS\SYSTEM32\dfogjtq.exe" mElTC:\WINDOWS\SYSWOW64\EXPRXQV.EXE
        160⤵
        
        PID:2644
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\DFOGJTQ.EXE
        161⤵
        
        PID:2480
        
        C:\WINDOWS\SysWOW64\vlnenhz.exe
        
        "C:\WINDOWS\SYSTEM32\vlnenhz.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        162⤵
        
        PID:1292
        
        C:\WINDOWS\SysWOW64\flrbygg.exe
        
        "C:\WINDOWS\SYSTEM32\flrbygg.exe" mElTC:\WINDOWS\SYSWOW64\VLNENHZ.EXE
        163⤵
        
        PID:2184
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\FLRBYGG.EXE
        164⤵
        
        PID:932
        
        C:\WINDOWS\SysWOW64\kxljrpl.exe
        
        "C:\WINDOWS\SYSTEM32\kxljrpl.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        165⤵
        
        PID:2396
        
        C:\WINDOWS\SysWOW64\juyzqtl.exe
        
        "C:\WINDOWS\SYSTEM32\juyzqtl.exe" mElTC:\WINDOWS\SYSWOW64\KXLJRPL.EXE
        166⤵
        Adds Run key to start application
        
        PID:2088
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\JUYZQTL.EXE
        167⤵
        
        PID:1624
        
        C:\WINDOWS\SysWOW64\aekpjtz.exe
        
        "C:\WINDOWS\SYSTEM32\aekpjtz.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        168⤵
        
        PID:1840
        
        C:\WINDOWS\SysWOW64\nkbkxck.exe
        
        "C:\WINDOWS\SYSTEM32\nkbkxck.exe" mElTC:\WINDOWS\SYSWOW64\AEKPJTZ.EXE
        169⤵
        
        PID:2812
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\NKBKXCK.EXE
        170⤵
        
        PID:564
        
        C:\WINDOWS\SysWOW64\ojozcnb.exe
        
        "C:\WINDOWS\SYSTEM32\ojozcnb.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        171⤵
        
        PID:1728
        
        C:\WINDOWS\SysWOW64\evmffwo.exe
        
        "C:\WINDOWS\SYSTEM32\evmffwo.exe" mElTC:\WINDOWS\SYSWOW64\OJOZCNB.EXE
        172⤵
        
        PID:588
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\EVMFFWO.EXE
        173⤵
        
        PID:580
        
        C:\WINDOWS\SysWOW64\qxqkkdn.exe
        
        "C:\WINDOWS\SYSTEM32\qxqkkdn.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        174⤵
        
        PID:2564
        
        C:\WINDOWS\SysWOW64\sgqaczv.exe
        
        "C:\WINDOWS\SYSTEM32\sgqaczv.exe" mElTC:\WINDOWS\SYSWOW64\QXQKKDN.EXE
        175⤵
        
        PID:2636
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\SGQACZV.EXE
        176⤵
        
        PID:1636
        
        C:\WINDOWS\SysWOW64\ikcngze.exe
        
        "C:\WINDOWS\SYSTEM32\ikcngze.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        177⤵
        
        PID:668
        
        C:\WINDOWS\SysWOW64\xlxyaqu.exe
        
        "C:\WINDOWS\SYSTEM32\xlxyaqu.exe" mElTC:\WINDOWS\SYSWOW64\IKCNGZE.EXE
        178⤵
        
        PID:1920
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\XLXYAQU.EXE
        179⤵
        
        PID:2460
        
        C:\WINDOWS\SysWOW64\jqoacoc.exe
        
        "C:\WINDOWS\SYSTEM32\jqoacoc.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        180⤵
        
        PID:2064
        
        C:\WINDOWS\SysWOW64\vhrdkxh.exe
        
        "C:\WINDOWS\SYSTEM32\vhrdkxh.exe" mElTC:\WINDOWS\SYSWOW64\JQOACOC.EXE
        181⤵
        
        PID:2240
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\VHRDKXH.EXE
        182⤵
        
        PID:1556
        
        C:\WINDOWS\SysWOW64\fcqquzh.exe
        
        "C:\WINDOWS\SYSTEM32\fcqquzh.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        183⤵
        
        PID:1832
        
        C:\WINDOWS\SysWOW64\jzkqhvw.exe
        
        "C:\WINDOWS\SYSTEM32\jzkqhvw.exe" mElTC:\WINDOWS\SYSWOW64\FCQQUZH.EXE
        184⤵
        
        PID:2776
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\JZKQHVW.EXE
        185⤵
        
        PID:2032
        
        C:\WINDOWS\SysWOW64\jdytpuk.exe
        
        "C:\WINDOWS\SYSTEM32\jdytpuk.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        186⤵
        
        PID:2380
        
        C:\WINDOWS\SysWOW64\tonedxz.exe
        
        "C:\WINDOWS\SYSTEM32\tonedxz.exe" mElTC:\WINDOWS\SYSWOW64\JDYTPUK.EXE
        187⤵
        
        PID:900
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\TONEDXZ.EXE
        188⤵
        
        PID:1668
        
        C:\WINDOWS\SysWOW64\istjoyl.exe
        
        "C:\WINDOWS\SYSTEM32\istjoyl.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        189⤵
        
        PID:2940
        
        C:\WINDOWS\SysWOW64\xafjpcq.exe
        
        "C:\WINDOWS\SYSTEM32\xafjpcq.exe" mElTC:\WINDOWS\SYSWOW64\ISTJOYL.EXE
        190⤵
        
        PID:1620
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\XAFJPCQ.EXE
        191⤵
        
        PID:1696
        
        C:\WINDOWS\SysWOW64\arghrsv.exe
        
        "C:\WINDOWS\SYSTEM32\arghrsv.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        192⤵
        
        PID:1372
        
        C:\WINDOWS\SysWOW64\npbjaab.exe
        
        "C:\WINDOWS\SYSTEM32\npbjaab.exe" mElTC:\WINDOWS\SYSWOW64\ARGHRSV.EXE
        193⤵
        
        PID:2744
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\NPBJAAB.EXE
        194⤵
        
        PID:2076
        
        C:\WINDOWS\SysWOW64\hgswxks.exe
        
        "C:\WINDOWS\SYSTEM32\hgswxks.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        195⤵
        
        PID:1080
        
        C:\WINDOWS\SysWOW64\zjohzuc.exe
        
        "C:\WINDOWS\SYSTEM32\zjohzuc.exe" mElTC:\WINDOWS\SYSWOW64\HGSWXKS.EXE
        196⤵
        
        PID:2624
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\ZJOHZUC.EXE
        197⤵
        
        PID:2912
        
        C:\WINDOWS\SysWOW64\gvofqbc.exe
        
        "C:\WINDOWS\SYSTEM32\gvofqbc.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        198⤵
        
        PID:3048
        
        C:\WINDOWS\SysWOW64\vglrzxf.exe
        
        "C:\WINDOWS\SYSTEM32\vglrzxf.exe" mElTC:\WINDOWS\SYSWOW64\GVOFQBC.EXE
        199⤵
        
        PID:308
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\VGLRZXF.EXE
        200⤵
        Drops file in System32 directory
        
        PID:1392
        
        C:\WINDOWS\SysWOW64\hmmsbax.exe
        
        "C:\WINDOWS\SYSTEM32\hmmsbax.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        201⤵
        
        PID:1712
        
        C:\WINDOWS\SysWOW64\ymmaaby.exe
        
        "C:\WINDOWS\SYSTEM32\ymmaaby.exe" mElTC:\WINDOWS\SYSWOW64\HMMSBAX.EXE
        202⤵
        
        PID:2448
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\YMMAABY.EXE
        203⤵
        
        PID:1492
        
        C:\WINDOWS\SysWOW64\qhjvwfs.exe
        
        "C:\WINDOWS\SYSTEM32\qhjvwfs.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        204⤵
        
        PID:2756
        
        C:\WINDOWS\SysWOW64\vuvdppx.exe
        
        "C:\WINDOWS\SYSTEM32\vuvdppx.exe" mElTC:\WINDOWS\SYSWOW64\QHJVWFS.EXE
        205⤵
        
        PID:764
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\VUVDPPX.EXE
        206⤵
        
        PID:3044
        
        C:\WINDOWS\SysWOW64\anaoctx.exe
        
        "C:\WINDOWS\SYSTEM32\anaoctx.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        207⤵
        
        PID:2344
        
        C:\WINDOWS\SysWOW64\lpjopxs.exe
        
        "C:\WINDOWS\SYSTEM32\lpjopxs.exe" mElTC:\WINDOWS\SYSWOW64\ANAOCTX.EXE
        208⤵
        
        PID:1776
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\LPJOPXS.EXE
        209⤵
        
        PID:1804
        
        C:\WINDOWS\SysWOW64\kvtulqn.exe
        
        "C:\WINDOWS\SYSTEM32\kvtulqn.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        210⤵
        
        PID:3056
        
        C:\WINDOWS\SysWOW64\hpohjlt.exe
        
        "C:\WINDOWS\SYSTEM32\hpohjlt.exe" mElTC:\WINDOWS\SYSWOW64\KVTULQN.EXE
        211⤵
        
        PID:1992
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\HPOHJLT.EXE
        212⤵
        
        PID:2728
        
        C:\WINDOWS\SysWOW64\folzwvf.exe
        
        "C:\WINDOWS\SYSTEM32\folzwvf.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        213⤵
        
        PID:2676
        
        C:\WINDOWS\SysWOW64\nlwfiba.exe
        
        "C:\WINDOWS\SYSTEM32\nlwfiba.exe" mElTC:\WINDOWS\SYSWOW64\FOLZWVF.EXE
        214⤵
        
        PID:2944
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\NLWFIBA.EXE
        215⤵
        
        PID:1936
        
        C:\WINDOWS\SysWOW64\hykfchs.exe
        
        "C:\WINDOWS\SYSTEM32\hykfchs.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        216⤵
        
        PID:2724
        
        C:\WINDOWS\SysWOW64\ggzpbch.exe
        
        "C:\WINDOWS\SYSTEM32\ggzpbch.exe" mElTC:\WINDOWS\SYSWOW64\HYKFCHS.EXE
        217⤵
        
        PID:2252
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\GGZPBCH.EXE
        218⤵
        
        PID:2884
        
        C:\WINDOWS\SysWOW64\zkyqpzn.exe
        
        "C:\WINDOWS\SYSTEM32\zkyqpzn.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        219⤵
        
        PID:580
        
        C:\WINDOWS\SysWOW64\gwgtsnd.exe
        
        "C:\WINDOWS\SYSTEM32\gwgtsnd.exe" mElTC:\WINDOWS\SYSWOW64\ZKYQPZN.EXE
        220⤵
        
        PID:1116
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\GWGTSND.EXE
        221⤵
        
        PID:1600
        
        C:\WINDOWS\SysWOW64\flbiire.exe
        
        "C:\WINDOWS\SYSTEM32\flbiire.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        222⤵
        
        PID:2916
        
        C:\WINDOWS\SysWOW64\scxvlml.exe
        
        "C:\WINDOWS\SYSTEM32\scxvlml.exe" mElTC:\WINDOWS\SYSWOW64\FLBIIRE.EXE
        223⤵
        
        PID:2428
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\SCXVLML.EXE
        224⤵
        
        PID:2460
        
        C:\WINDOWS\SysWOW64\bmtersm.exe
        
        "C:\WINDOWS\SYSTEM32\bmtersm.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        225⤵
        
        PID:1560
        
        C:\WINDOWS\SysWOW64\vzzemyf.exe
        
        "C:\WINDOWS\SYSTEM32\vzzemyf.exe" mElTC:\WINDOWS\SYSWOW64\BMTERSM.EXE
        226⤵
        
        PID:612
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\VZZEMYF.EXE
        227⤵
        
        PID:2368
        
        C:\WINDOWS\SysWOW64\vloneht.exe
        
        "C:\WINDOWS\SYSTEM32\vloneht.exe" mElTC:\WINDOWS\SYSWOW64\WNLOGON.EXE
        228⤵
        
        PID:2148
        
        C:\WINDOWS\SysWOW64\vdpfytd.exe
        
        "C:\WINDOWS\SYSTEM32\vdpfytd.exe" mElTC:\WINDOWS\SYSWOW64\VLONEHT.EXE
        229⤵
        
        PID:1628
        
        C:\WINDOWS\SysWOW64\WNLOGON.exe
        
        "C:\WINDOWS\SYSTEM32\WNLOGON.exe" mElTC:\WINDOWS\SYSWOW64\VDPFYTD.EXE
        230⤵
        
        PID:1648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\WNLOGON.exe

Filesize
19KB

MD5
3420e1a8010b0c0957e33532ed8b1dbc

SHA1
05f4bdc15c239e055690078d78e2e7d2710d997c

SHA256
c6f9179c5e09f5a5668680b35c8ba875cdf38df7cdbbeb14352fde9d8be28b7b

SHA512
7849bf3c683aaeec1762d99b77d2bfd70668ed82827c1731db660b86fa7b4053d46cc305c575047d196300cbe2368c84cb992f59aaa8a2a6b166df98dbe248c5

Download Submit
memory/312-439-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/476-231-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/588-59-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/756-433-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/784-479-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/844-46-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/884-511-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/952-487-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1124-391-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1140-503-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1180-415-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1220-247-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1372-351-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1392-407-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1456-199-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1476-108-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1532-279-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1608-447-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1668-327-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1700-71-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1728-359-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1804-319-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1812-167-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1812-495-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1824-175-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/1888-156-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2004-95-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2008-423-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2028-193-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2068-463-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2068-131-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2092-551-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2128-215-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2128-22-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2140-519-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2200-271-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2252-537-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2260-13-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2264-383-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2292-303-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2300-183-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2304-471-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2304-144-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2344-311-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2364-287-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2368-455-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2380-120-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2444-399-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2452-343-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2468-527-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2504-263-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2568-223-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2652-255-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2688-567-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2692-33-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2772-207-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2780-367-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2840-375-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2856-239-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2888-559-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2940-335-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2960-543-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2976-295-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3024-82-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads