ee4668d7ca1c84e11f460bf48f9e8f298bd4875862ba17f21e9deabc688b9494

Analysis

max time kernel
93s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
18/03/2023, 17:10 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
Size

11.8MB
MD5

ceea1dc43163e1ab1bda2fbbac5cfda8
SHA1

6914ec125dea7aa7a9f77f0ee63f37b2ea1359ed
SHA256

ee4668d7ca1c84e11f460bf48f9e8f298bd4875862ba17f21e9deabc688b9494
SHA512

333ef5b203c293467f588e708b397542aad67385c60abff2451ca5b753a19579e3c2ae817656105dee0ae036c7e0a3e8965b867cb465b27abcfc844bc41d9d82
SSDEEP

196608:WzF3kAXqHjxbAQvaNJm3AqowejuJDUX47dwdW0JB2nTxYPJNupwl1:eFUOqHjxy/m3poaUX47d4edDI

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
1964	netconn_properties.exe
3424	netconn_properties.exe
2108	upx.exe
3564	Conhost.exe
3012	upx.exe
1240	upx.exe
3784	upx.exe
476	upx.exe
2672	upx.exe
1584	upx.exe
4560	upx.exe
4624	Conhost.exe
1180	Conhost.exe
1388	Conhost.exe
2528	cmd.exe
4120	upx.exe
3624	cmd.exe
4948	cmd.exe
1424	Conhost.exe
2208	cmd.exe
456	upx.exe
472	upx.exe
1792	cmd.exe
3780	upx.exe
3944	cmd.exe
4660	upx.exe
4540	cmd.exe
808	cmd.exe
4776	upx.exe
3288	cmd.exe
3340	upx.exe
2712	upx.exe
2008	upx.exe
1084	cmd.exe
2044	cmd.exe
2012	upx.exe
2228	Conhost.exe
3904	Conhost.exe
216	upx.exe
2472	upx.exe
2800	upx.exe
3900	upx.exe
2400	Conhost.exe
1176	upx.exe
1984	cmd.exe
5092	cmd.exe
4584	BackgroundTransferHost.exe
1968	upx.exe
412	cmd.exe
3292	upx.exe
3364	upx.exe
4172	Conhost.exe
3904	Conhost.exe
216	upx.exe
1736	Conhost.exe
5088	upx.exe
4604	upx.exe
4540	cmd.exe
1176	upx.exe
1328	cmd.exe
948	upx.exe
840	upx.exe
4324	upx.exe
4744	Conhost.exe

Loads dropped DLL 19 IoCs

pid	Process
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000600000002315c-215.dat	upx
behavioral2/files/0x000600000002315c-217.dat	upx
behavioral2/memory/3564-218-0x0000000000400000-0x0000000000603000-memory.dmp	upx
behavioral2/files/0x000600000002315c-219.dat	upx
behavioral2/memory/3012-221-0x0000000000400000-0x0000000000603000-memory.dmp	upx
behavioral2/memory/3012-220-0x0000000000400000-0x0000000000603000-memory.dmp	upx
behavioral2/files/0x000600000002315c-222.dat	upx
behavioral2/memory/1240-223-0x0000000000400000-0x0000000000603000-memory.dmp	upx
behavioral2/files/0x000600000002315c-224.dat	upx
behavioral2/memory/3784-225-0x0000000000400000-0x0000000000603000-memory.dmp	upx
behavioral2/files/0x000600000002315c-226.dat	upx
behavioral2/memory/476-227-0x0000000000400000-0x0000000000603000-memory.dmp	upx
behavioral2/files/0x000600000002315c-228.dat	upx
behavioral2/memory/2672-229-0x0000000000400000-0x0000000000603000-memory.dmp	upx
behavioral2/files/0x000600000002315c-230.dat	upx
behavioral2/memory/1584-231-0x0000000000400000-0x0000000000603000-memory.dmp	upx
behavioral2/files/0x000600000002315c-232.dat	upx
behavioral2/memory/4560-233-0x0000000000400000-0x0000000000603000-memory.dmp	upx
behavioral2/memory/4560-234-0x0000000000400000-0x0000000000603000-memory.dmp	upx
behavioral2/files/0x000600000002315c-235.dat	upx
behavioral2/memory/4624-236-0x0000000000400000-0x0000000000603000-memory.dmp	upx
behavioral2/files/0x000600000002315c-237.dat	upx
behavioral2/memory/1180-238-0x0000000000400000-0x0000000000603000-memory.dmp	upx
behavioral2/files/0x000600000002315c-239.dat	upx
behavioral2/memory/1388-240-0x0000000000400000-0x0000000000603000-memory.dmp	upx
behavioral2/files/0x000600000002315c-241.dat	upx
behavioral2/memory/2528-242-0x0000000000400000-0x0000000000603000-memory.dmp	upx
behavioral2/files/0x000600000002315c-243.dat	upx
behavioral2/memory/4120-244-0x0000000000400000-0x0000000000603000-memory.dmp	upx
behavioral2/files/0x000600000002315c-245.dat	upx
behavioral2/memory/3624-246-0x0000000000400000-0x0000000000603000-memory.dmp	upx
behavioral2/files/0x000600000002315c-247.dat	upx
behavioral2/memory/4948-248-0x0000000000400000-0x0000000000603000-memory.dmp	upx
behavioral2/files/0x000600000002315c-249.dat	upx
behavioral2/memory/1424-250-0x0000000000400000-0x0000000000603000-memory.dmp	upx
behavioral2/files/0x000600000002315c-251.dat	upx
behavioral2/memory/2208-252-0x0000000000400000-0x0000000000603000-memory.dmp	upx
behavioral2/files/0x000600000002315c-253.dat	upx
behavioral2/memory/456-254-0x0000000000400000-0x0000000000603000-memory.dmp	upx
behavioral2/files/0x000600000002315c-255.dat	upx
behavioral2/memory/472-256-0x0000000000400000-0x0000000000603000-memory.dmp	upx
behavioral2/files/0x000600000002315c-257.dat	upx
behavioral2/memory/1792-258-0x0000000000400000-0x0000000000603000-memory.dmp	upx
behavioral2/memory/3780-259-0x0000000000400000-0x0000000000603000-memory.dmp	upx
behavioral2/memory/3944-260-0x0000000000400000-0x0000000000603000-memory.dmp	upx
behavioral2/memory/3012-261-0x0000000000400000-0x0000000000603000-memory.dmp	upx
behavioral2/memory/4660-262-0x0000000000400000-0x0000000000603000-memory.dmp	upx
behavioral2/memory/4540-264-0x0000000000400000-0x0000000000603000-memory.dmp	upx
behavioral2/memory/808-265-0x0000000000400000-0x0000000000603000-memory.dmp	upx
behavioral2/memory/4776-266-0x0000000000400000-0x0000000000603000-memory.dmp	upx
behavioral2/memory/3288-267-0x0000000000400000-0x0000000000603000-memory.dmp	upx
behavioral2/memory/3340-268-0x0000000000400000-0x0000000000603000-memory.dmp	upx
behavioral2/memory/2712-269-0x0000000000400000-0x0000000000603000-memory.dmp	upx
behavioral2/memory/2008-270-0x0000000000400000-0x0000000000603000-memory.dmp	upx
behavioral2/memory/1084-271-0x0000000000400000-0x0000000000603000-memory.dmp	upx
behavioral2/memory/2044-272-0x0000000000400000-0x0000000000603000-memory.dmp	upx
behavioral2/memory/2012-273-0x0000000000400000-0x0000000000603000-memory.dmp	upx
behavioral2/memory/2228-274-0x0000000000400000-0x0000000000603000-memory.dmp	upx
behavioral2/memory/3904-275-0x0000000000400000-0x0000000000603000-memory.dmp	upx
behavioral2/memory/216-276-0x0000000000400000-0x0000000000603000-memory.dmp	upx
behavioral2/memory/2472-277-0x0000000000400000-0x0000000000603000-memory.dmp	upx
behavioral2/memory/2800-278-0x0000000000400000-0x0000000000603000-memory.dmp	upx
behavioral2/memory/3900-279-0x0000000000400000-0x0000000000603000-memory.dmp	upx
behavioral2/memory/2400-280-0x0000000000400000-0x0000000000603000-memory.dmp	upx

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client"	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3516 wrote to memory of 752	3516	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe	86
PID 3516 wrote to memory of 752	3516	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe	86
PID 752 wrote to memory of 1964	752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe	89
PID 752 wrote to memory of 1964	752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe	89
PID 752 wrote to memory of 1964	752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe	89
PID 752 wrote to memory of 3424	752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe	94
PID 752 wrote to memory of 3424	752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe	94
PID 752 wrote to memory of 3424	752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe	94
PID 752 wrote to memory of 2108	752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe	492
PID 752 wrote to memory of 2108	752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe	492
PID 752 wrote to memory of 2108	752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe	492
PID 752 wrote to memory of 1084	752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe	241
PID 752 wrote to memory of 1084	752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe	241
PID 1084 wrote to memory of 3564	1084	cmd.exe	506
PID 1084 wrote to memory of 3564	1084	cmd.exe	506
PID 752 wrote to memory of 2860	752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe	102
PID 752 wrote to memory of 2860	752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe	102
PID 2860 wrote to memory of 3012	2860	cmd.exe	104
PID 2860 wrote to memory of 3012	2860	cmd.exe	104
PID 752 wrote to memory of 2176	752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe	372
PID 752 wrote to memory of 2176	752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe	372
PID 2176 wrote to memory of 1240	2176	Conhost.exe	107
PID 2176 wrote to memory of 1240	2176	Conhost.exe	107
PID 752 wrote to memory of 1080	752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe	447
PID 752 wrote to memory of 1080	752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe	447
PID 1080 wrote to memory of 3784	1080	upx.exe	111
PID 1080 wrote to memory of 3784	1080	upx.exe	111
PID 752 wrote to memory of 232	752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe	112
PID 752 wrote to memory of 232	752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe	112
PID 232 wrote to memory of 476	232	cmd.exe	115
PID 232 wrote to memory of 476	232	cmd.exe	115
PID 752 wrote to memory of 4528	752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe	116
PID 752 wrote to memory of 4528	752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe	116
PID 4528 wrote to memory of 2672	4528	cmd.exe	574
PID 4528 wrote to memory of 2672	4528	cmd.exe	574
PID 752 wrote to memory of 1068	752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe	380
PID 752 wrote to memory of 1068	752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe	380
PID 1068 wrote to memory of 1584	1068	cmd.exe	425
PID 1068 wrote to memory of 1584	1068	cmd.exe	425
PID 752 wrote to memory of 972	752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe	424
PID 752 wrote to memory of 972	752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe	424
PID 972 wrote to memory of 4560	972	Conhost.exe	124
PID 972 wrote to memory of 4560	972	Conhost.exe	124
PID 752 wrote to memory of 4696	752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe	223
PID 752 wrote to memory of 4696	752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe	223
PID 4696 wrote to memory of 4624	4696	Conhost.exe	171
PID 4696 wrote to memory of 4624	4696	Conhost.exe	171
PID 752 wrote to memory of 3836	752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe	452
PID 752 wrote to memory of 3836	752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe	452
PID 3836 wrote to memory of 1180	3836	Conhost.exe	346
PID 3836 wrote to memory of 1180	3836	Conhost.exe	346
PID 752 wrote to memory of 3092	752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe	535
PID 752 wrote to memory of 3092	752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe	535
PID 3092 wrote to memory of 1388	3092	cmd.exe	403
PID 3092 wrote to memory of 1388	3092	cmd.exe	403
PID 752 wrote to memory of 5092	752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe	484
PID 752 wrote to memory of 5092	752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe	484
PID 5092 wrote to memory of 2528	5092	cmd.exe	280
PID 5092 wrote to memory of 2528	5092	cmd.exe	280
PID 752 wrote to memory of 1656	752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe	137
PID 752 wrote to memory of 1656	752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe	137
PID 1656 wrote to memory of 4120	1656	cmd.exe	139
PID 1656 wrote to memory of 4120	1656	cmd.exe	139
PID 752 wrote to memory of 2944	752	ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe	140

C:\Users\Admin\AppData\Local\Temp\ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
"C:\Users\Admin\AppData\Local\Temp\ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3516
- C:\Users\Admin\AppData\Local\Temp\ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe
  "C:\Users\Admin\AppData\Local\Temp\ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe"
  2⤵
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:752
- - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\netconn_properties.exe
    C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/netconn_properties.exe
    3⤵
    - Executes dropped EXE
    PID:1964
- - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\netconn_properties.exe
    C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/netconn_properties.exe
    3⤵
    - Executes dropped EXE
    PID:3424
- - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\registers.exe
    C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/registers.exe
    3⤵
    PID:2108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t """
    3⤵
    PID:1084
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t ""
      4⤵
      PID:3564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "Registry""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2860
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "Registry"
      4⤵
      Executes dropped EXE
      PID:3012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\dwm.exe""
    3⤵
    PID:2176
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\dwm.exe"
      4⤵
      Executes dropped EXE
      PID:1240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\dwm.exe""
    3⤵
    PID:1080
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\dwm.exe"
      4⤵
      Executes dropped EXE
      PID:3784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\smss.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:232
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\smss.exe"
      4⤵
      Executes dropped EXE
      PID:476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\smss.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4528
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\smss.exe"
      4⤵
      PID:2672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\csrss.exe""
    3⤵
    PID:1068
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\csrss.exe"
      4⤵
      PID:1584
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\csrss.exe""
    3⤵
    PID:972
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\csrss.exe"
      4⤵
      Executes dropped EXE
      PID:4560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\wininit.exe""
    3⤵
    PID:4696
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\wininit.exe"
      4⤵
      PID:4624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\wininit.exe""
    3⤵
    PID:3836
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\wininit.exe"
      4⤵
      PID:1180
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\csrss.exe""
    3⤵
    PID:3092
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\csrss.exe"
      4⤵
      PID:1388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\csrss.exe""
    3⤵
    PID:5092
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\csrss.exe"
      4⤵
      PID:2528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\winlogon.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1656
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\winlogon.exe"
      4⤵
      Executes dropped EXE
      PID:4120
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\winlogon.exe""
    3⤵
    PID:2944
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\winlogon.exe"
      4⤵
      PID:3624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:3136
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:4948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:2988
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:1424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\services.exe""
    3⤵
    PID:3312
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\services.exe"
      4⤵
      PID:2208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\services.exe""
    3⤵
    PID:4000
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\services.exe"
      4⤵
      PID:456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\lsass.exe""
    3⤵
    PID:1700
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\lsass.exe"
      4⤵
      PID:472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\lsass.exe""
    3⤵
    PID:764
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\lsass.exe"
      4⤵
      PID:1792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:5068
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:3780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:3852
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:3944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Users\Admin\AppData\Local\Temp\ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe""
    3⤵
    PID:3900
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Users\Admin\AppData\Local\Temp\ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe"
      4⤵
      Executes dropped EXE
      PID:4660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Users\Admin\AppData\Local\Temp\ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe""
    3⤵
    PID:3028
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Executes dropped EXE
      PID:4624
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Users\Admin\AppData\Local\Temp\ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe"
      4⤵
      PID:4540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\fontdrvhost.exe""
    3⤵
    PID:4652
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\fontdrvhost.exe"
      4⤵
      PID:808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\fontdrvhost.exe""
    3⤵
    PID:5096
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\fontdrvhost.exe"
      4⤵
      Executes dropped EXE
      PID:4776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\fontdrvhost.exe""
    3⤵
    PID:2536
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\fontdrvhost.exe"
      4⤵
      PID:3288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\fontdrvhost.exe""
    3⤵
    PID:4400
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\fontdrvhost.exe"
      4⤵
      Executes dropped EXE
      PID:3340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:5000
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      Executes dropped EXE
      PID:2712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:328
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      Executes dropped EXE
      PID:2008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:2744
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:1084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:2988
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:2044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:3492
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      Executes dropped EXE
      PID:2012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:4568
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:2228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:464
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:3904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:2244
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:3484
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:2472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:1580
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:2800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\RuntimeBroker.exe""
    3⤵
    PID:4088
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\RuntimeBroker.exe"
      4⤵
      Executes dropped EXE
      PID:3900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\RuntimeBroker.exe""
    3⤵
    PID:1468
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\RuntimeBroker.exe"
      4⤵
      PID:2400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:4608
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4696
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:1176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:2020
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:1984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:5096
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:5092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:3288
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:4584
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:1104
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      Executes dropped EXE
      PID:1968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:4948
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1084
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      Executes dropped EXE
      PID:3292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:956
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:3364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:1988
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:4172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:3892
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:3904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:464
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:2280
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:1736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:4780
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      Executes dropped EXE
      PID:5088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:3740
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      Executes dropped EXE
      PID:4604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:3696
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:4540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:1468
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      Executes dropped EXE
      PID:1176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:4608
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:1328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:1388
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:2560
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      Executes dropped EXE
      PID:840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    - Executes dropped EXE
    PID:2528
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      Executes dropped EXE
      PID:4324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:632
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:4744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:60
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:3136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:5036
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      Executes dropped EXE
      PID:456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:1988
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3492
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:4052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:1852
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      Executes dropped EXE
      PID:216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:1604
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:3484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:3848
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:4672
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:1200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:2400
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:4664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    - Executes dropped EXE
    PID:808
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:2020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    - Executes dropped EXE
    PID:1984
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:3776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:4720
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:4400
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:4140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    - Executes dropped EXE
    PID:4948
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:3136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:1420
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:5036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:1928
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Executes dropped EXE
      PID:3904
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      Executes dropped EXE
      PID:472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\spoolsv.exe""
    3⤵
    - Executes dropped EXE
    PID:1792
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\spoolsv.exe"
      4⤵
      PID:460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\spoolsv.exe""
    3⤵
    PID:1336
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\spoolsv.exe"
      4⤵
      PID:1880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:1524
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:4636
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:4672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\wbem\WmiPrvSE.exe""
    3⤵
    - Executes dropped EXE
    PID:4540
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Executes dropped EXE
      PID:1180
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\wbem\WmiPrvSE.exe"
      4⤵
      PID:2400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\wbem\WmiPrvSE.exe""
    3⤵
    PID:3028
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\wbem\WmiPrvSE.exe"
      4⤵
      PID:4232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:2600
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:1468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:4792
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:3792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:1388
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:4460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:4400
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:1080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:2668
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Executes dropped EXE
      PID:2228
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:1452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:2016
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:4448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:3312
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2176
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:1928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:2672
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:1404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:1660
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      Executes dropped EXE
      PID:2472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1068
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3852
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:1584
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:2540
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:4672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:1092
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:4088
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:3364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:1520
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:5016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:3792
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:1104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:4284
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:4288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe""
    3⤵
    PID:2124
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Executes dropped EXE
      PID:1388
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe"
      4⤵
      PID:2308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe""
    3⤵
    PID:3020
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe"
      4⤵
      PID:3348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:4568
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:2084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:3940
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:4880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:4052
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:4424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:112
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:1404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\sysmon.exe""
    3⤵
    PID:460
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\sysmon.exe"
      4⤵
      PID:1736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\sysmon.exe""
    3⤵
    PID:3280
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Suspicious use of WriteProcessMemory
      PID:972
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\sysmon.exe"
      4⤵
      Executes dropped EXE
      PID:1584
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:3668
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:5080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:1040
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Executes dropped EXE
      PID:1424
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:1836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:4156
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      Executes dropped EXE
      PID:3364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    - Executes dropped EXE
    PID:1328
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:4792
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:2204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    - Executes dropped EXE
    PID:2044
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:4888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\sihost.exe""
    3⤵
    PID:4284
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\sihost.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\sihost.exe""
    3⤵
    PID:2308
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\sihost.exe"
      4⤵
      PID:2600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\sppsvc.exe""
    3⤵
    PID:1556
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3836
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\sppsvc.exe"
      4⤵
      PID:3348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\sppsvc.exe""
    3⤵
    PID:1504
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\sppsvc.exe"
      4⤵
      PID:2084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    - Executes dropped EXE
    PID:3624
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1580
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:1420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:4128
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:4424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\wbem\unsecapp.exe""
    3⤵
    PID:3408
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\wbem\unsecapp.exe"
      4⤵
      PID:1404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\wbem\unsecapp.exe""
    3⤵
    PID:464
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\wbem\unsecapp.exe"
      4⤵
      PID:1052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\taskhostw.exe""
    3⤵
    PID:3520
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1660
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\taskhostw.exe"
      4⤵
      PID:4160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\taskhostw.exe""
    3⤵
    - Executes dropped EXE
    PID:3944
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\taskhostw.exe"
      4⤵
      PID:5080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:5048
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1200
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:3468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:2604
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:4088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    - Executes dropped EXE
    PID:2208
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:4608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5092
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:2744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\explorer.exe""
    3⤵
    PID:3512
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3776
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\explorer.exe"
      4⤵
      PID:1744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\explorer.exe""
    3⤵
    PID:396
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\explorer.exe"
      4⤵
      Executes dropped EXE
      PID:2108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:3196
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:5096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:4744
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:3320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    - Executes dropped EXE
    PID:3288
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:832
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:3020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:5000
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:1452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:4464
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Executes dropped EXE
      PID:3564
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:3940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:628
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1420
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:4052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\SppExtComObj.Exe""
    3⤵
    PID:3788
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4424
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\SppExtComObj.Exe"
      4⤵
      PID:112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\SppExtComObj.Exe""
    3⤵
    PID:1988
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1404
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\SppExtComObj.Exe"
      4⤵
      PID:764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Users\Admin\AppData\Local\Temp\ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe""
    3⤵
    PID:1336
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Executes dropped EXE
      PID:1736
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Users\Admin\AppData\Local\Temp\ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe"
      4⤵
      PID:3780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Users\Admin\AppData\Local\Temp\ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe""
    3⤵
    PID:360
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1852
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Users\Admin\AppData\Local\Temp\ceea1dc43163e1ab1bda2fbbac5cfda8.bin.exe"
      4⤵
      PID:4252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\dllhost.exe""
    3⤵
    PID:3000
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\dllhost.exe"
      4⤵
      PID:3880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\dllhost.exe""
    3⤵
    - Executes dropped EXE
    PID:412
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\dllhost.exe"
      4⤵
      PID:328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\dllhost.exe""
    3⤵
    PID:3468
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1092
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\dllhost.exe"
      4⤵
      PID:2400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\dllhost.exe""
    3⤵
    PID:4620
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4088
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\dllhost.exe"
      4⤵
      PID:3208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3092
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4608
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"
      4⤵
      PID:932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe""
    3⤵
    PID:2952
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"
      4⤵
      PID:2988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\RuntimeBroker.exe""
    3⤵
    PID:5072
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\RuntimeBroker.exe"
      4⤵
      PID:1104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\RuntimeBroker.exe""
    3⤵
    PID:2544
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\RuntimeBroker.exe"
      4⤵
      PID:2160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe""
    3⤵
    PID:4944
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:396
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"
      4⤵
      PID:1380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe""
    3⤵
    PID:5096
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"
      4⤵
      PID:2880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:3896
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Executes dropped EXE
      PID:4744
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:4280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:2808
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3020
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:3164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\RuntimeBroker.exe""
    3⤵
    PID:4980
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\RuntimeBroker.exe"
      4⤵
      PID:3348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\RuntimeBroker.exe""
    3⤵
    PID:2940
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4880
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\RuntimeBroker.exe"
      4⤵
      PID:4400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:1172
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Executes dropped EXE
      PID:4172
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:3152
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2244
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:3788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\servicing\TrustedInstaller.exe""
    3⤵
    PID:3860
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\servicing\TrustedInstaller.exe"
      4⤵
      Executes dropped EXE
      PID:2672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\servicing\TrustedInstaller.exe""
    3⤵
    PID:2056
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\servicing\TrustedInstaller.exe"
      4⤵
      Executes dropped EXE
      PID:3780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:276
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:464
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      Executes dropped EXE
      PID:2800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:3228
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3520
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:1292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:1944
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3000
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:3440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:1836
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:328
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:5048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\RuntimeBroker.exe""
    3⤵
    PID:1592
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Executes dropped EXE
      PID:2400
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\RuntimeBroker.exe"
      4⤵
      PID:3332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\RuntimeBroker.exe""
    3⤵
    PID:808
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1040
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\RuntimeBroker.exe"
      4⤵
      PID:5056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:4232
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2208
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      Executes dropped EXE
      PID:948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:2204
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:3336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:1304
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:2024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe""
    3⤵
    PID:2172
  - - C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe/upx.exe -t "C:\Windows\System32\svchost.exe"
      4⤵
      PID:3412

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
1⤵
- Modifies data under HKEY_USERS
PID:4952

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
- Executes dropped EXE
PID:4584

Network

DNS

217.106.137.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.106.137.52.in-addr.arpa

IN PTR

Response
DNS

55.154.139.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

55.154.139.52.in-addr.arpa

IN PTR

Response
DNS

36.146.190.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

36.146.190.20.in-addr.arpa

IN PTR

Response

36.146.190.20.in-addr.arpa

IN CNAME

36.0-26.146.190.20.in-addr.arpa
DNS

232.168.11.51.in-addr.arpa

Remote address:

8.8.8.8:53

Request

232.168.11.51.in-addr.arpa

IN PTR

Response
DNS

58.104.205.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

58.104.205.20.in-addr.arpa

IN PTR

Response
DNS

76.38.195.152.in-addr.arpa

Remote address:

8.8.8.8:53

Request

76.38.195.152.in-addr.arpa

IN PTR

Response
DNS

160.252.72.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

160.252.72.23.in-addr.arpa

IN PTR

Response

160.252.72.23.in-addr.arpa

IN PTR

a23-72-252-160deploystaticakamaitechnologiescom
DNS

0.77.109.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

0.77.109.52.in-addr.arpa

IN PTR

Response
DNS

0.77.109.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

0.77.109.52.in-addr.arpa

IN PTR

Response
DNS

147.44.123.190.in-addr.arpa

Remote address:

8.8.8.8:53

Request

147.44.123.190.in-addr.arpa

IN PTR

Response
DNS

147.44.123.190.in-addr.arpa

Remote address:

8.8.8.8:53

Request

147.44.123.190.in-addr.arpa

IN PTR

Response

52.152.110.14:443

260 B
5
13.89.178.26:443

322 B
7
52.152.110.14:443

260 B
5
117.18.237.29:80

322 B
7
209.197.3.8:80

322 B
7
209.197.3.8:80

322 B
7
209.197.3.8:80

322 B
7
173.223.113.164:443

322 B
7
52.152.110.14:443

260 B
5
173.223.113.131:80

322 B
7
204.79.197.203:80

322 B
7
52.152.110.14:443

260 B
5
52.152.110.14:443

260 B
5
190.123.44.147:38975

1.6MB
20.3kB
1117
497
52.152.110.14:443

208 B
4

8.8.8.8:53

217.106.137.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

217.106.137.52.in-addr.arpa
8.8.8.8:53

55.154.139.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

55.154.139.52.in-addr.arpa
8.8.8.8:53

36.146.190.20.in-addr.arpa

dns

72 B
168 B
1
1

DNS Request

36.146.190.20.in-addr.arpa
8.8.8.8:53

232.168.11.51.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

232.168.11.51.in-addr.arpa
8.8.8.8:53

58.104.205.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

58.104.205.20.in-addr.arpa
8.8.8.8:53

76.38.195.152.in-addr.arpa

dns

72 B
143 B
1
1

DNS Request

76.38.195.152.in-addr.arpa
8.8.8.8:53

160.252.72.23.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

160.252.72.23.in-addr.arpa
8.8.8.8:53

0.77.109.52.in-addr.arpa

dns

140 B
288 B
2
2

DNS Request

0.77.109.52.in-addr.arpa

DNS Request

0.77.109.52.in-addr.arpa
8.8.8.8:53

147.44.123.190.in-addr.arpa

dns

146 B
270 B
2
2

DNS Request

147.44.123.190.in-addr.arpa

DNS Request

147.44.123.190.in-addr.arpa

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI35162\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35162\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35162\_bz2.pyd

Filesize
82KB

MD5
a8a37ba5e81d967433809bf14d34e81d

SHA1
e4d9265449950b5c5a665e8163f7dda2badd5c41

SHA256
50e21ce62f8d9bab92f6a7e9b39a86406c32d2df18408bb52ffb3d245c644c7b

SHA512
b50f4334acb54a6fba776fc77ca07de4940810da4378468b3ca6f35d69c45121ff17e1f9c236752686d2e269bd0b7bce31d16506d3896b9328671049857ed979

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35162\_bz2.pyd

Filesize
82KB

MD5
a8a37ba5e81d967433809bf14d34e81d

SHA1
e4d9265449950b5c5a665e8163f7dda2badd5c41

SHA256
50e21ce62f8d9bab92f6a7e9b39a86406c32d2df18408bb52ffb3d245c644c7b

SHA512
b50f4334acb54a6fba776fc77ca07de4940810da4378468b3ca6f35d69c45121ff17e1f9c236752686d2e269bd0b7bce31d16506d3896b9328671049857ed979

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35162\_ctypes.pyd

Filesize
120KB

MD5
496dcf8821ffc12f476878775999a8f3

SHA1
6b89b8fdd7cd610c08e28c3a14b34f751580cffd

SHA256
b59e103f8ec6c1190ded21eef27bea01579220909c3968eeec37d46d2ed39e80

SHA512
07118f44b83d58f333bc4b853e9be66dffb3f7db8e65e0226975297bf5794ebdaa2c7a51ef84971faf4d4233a68a6b5e9ac02e737d16c0ac19a6cf65fad9443f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35162\_ctypes.pyd

Filesize
120KB

MD5
496dcf8821ffc12f476878775999a8f3

SHA1
6b89b8fdd7cd610c08e28c3a14b34f751580cffd

SHA256
b59e103f8ec6c1190ded21eef27bea01579220909c3968eeec37d46d2ed39e80

SHA512
07118f44b83d58f333bc4b853e9be66dffb3f7db8e65e0226975297bf5794ebdaa2c7a51ef84971faf4d4233a68a6b5e9ac02e737d16c0ac19a6cf65fad9443f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35162\_hashlib.pyd

Filesize
63KB

MD5
1c88b53c50b5f2bb687b554a2fc7685d

SHA1
bfe6fdb8377498bbefcaad1e6b8805473a4ccbf3

SHA256
19dd3b5ebb840885543974a4cb6c8ea4539d76e3672be0f390a3a82443391778

SHA512
a312b11c85aaa325ab801c728397d5c7049b55fa00f24d30f32bf5cc0ad160678b40f354d9d5ec34384634950b5d6eda601e21934c929b4bc7f6ef50f16e3f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35162\_hashlib.pyd

Filesize
63KB

MD5
1c88b53c50b5f2bb687b554a2fc7685d

SHA1
bfe6fdb8377498bbefcaad1e6b8805473a4ccbf3

SHA256
19dd3b5ebb840885543974a4cb6c8ea4539d76e3672be0f390a3a82443391778

SHA512
a312b11c85aaa325ab801c728397d5c7049b55fa00f24d30f32bf5cc0ad160678b40f354d9d5ec34384634950b5d6eda601e21934c929b4bc7f6ef50f16e3f59

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35162\_lzma.pyd

Filesize
155KB

MD5
bc07d7ac5fdc92db1e23395fde3420f2

SHA1
e89479381beeba40992d8eb306850977d3b95806

SHA256
ab822f7e846d4388b6f435d788a028942096ba1344297e0b7005c9d50814981b

SHA512
b6105333bb15e65afea3cf976b3c2a8a4c0ebb09ce9a7898a94c41669e666ccfa7dc14106992502abf62f1deb057e926e1fd3368f2a2817bbf6845eada80803d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35162\_lzma.pyd

Filesize
155KB

MD5
bc07d7ac5fdc92db1e23395fde3420f2

SHA1
e89479381beeba40992d8eb306850977d3b95806

SHA256
ab822f7e846d4388b6f435d788a028942096ba1344297e0b7005c9d50814981b

SHA512
b6105333bb15e65afea3cf976b3c2a8a4c0ebb09ce9a7898a94c41669e666ccfa7dc14106992502abf62f1deb057e926e1fd3368f2a2817bbf6845eada80803d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35162\_socket.pyd

Filesize
77KB

MD5
290dbf92268aebde8b9507b157bef602

SHA1
bea7221d7abbbc48840b46a19049217b27d3d13a

SHA256
e05c5342d55cb452e88e041061faba492d6dd9268a7f67614a8143540aca2bfe

SHA512
9ae02b75e722a736b2d76cec9c456d20f341327f55245fa6c5f78200be47cc5885cb73dc3e42e302c6f251922ba7b997c6d032b12a4a988f39bc03719f21d1a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35162\_socket.pyd

Filesize
77KB

MD5
290dbf92268aebde8b9507b157bef602

SHA1
bea7221d7abbbc48840b46a19049217b27d3d13a

SHA256
e05c5342d55cb452e88e041061faba492d6dd9268a7f67614a8143540aca2bfe

SHA512
9ae02b75e722a736b2d76cec9c456d20f341327f55245fa6c5f78200be47cc5885cb73dc3e42e302c6f251922ba7b997c6d032b12a4a988f39bc03719f21d1a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35162\_uuid.pyd

Filesize
24KB

MD5
a16b1acfdaadc7bb4f6ddf17659a8d12

SHA1
482982d623d88627c447f96703e4d166f9e51db4

SHA256
8af17a746533844b0f1b8f15f612e1cf0df76ac8f073388e80cfc60759e94de0

SHA512
03d65f37efc6aba325109b5a982be71380210d41dbf8c068d6a994228888d805adac1264851cc6f378e61c3aff1485cc6c059e83218b239397eda0cec87bd533

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35162\_uuid.pyd

Filesize
24KB

MD5
a16b1acfdaadc7bb4f6ddf17659a8d12

SHA1
482982d623d88627c447f96703e4d166f9e51db4

SHA256
8af17a746533844b0f1b8f15f612e1cf0df76ac8f073388e80cfc60759e94de0

SHA512
03d65f37efc6aba325109b5a982be71380210d41dbf8c068d6a994228888d805adac1264851cc6f378e61c3aff1485cc6c059e83218b239397eda0cec87bd533

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35162\base_library.zip

Filesize
1.7MB

MD5
948430bbba768d83a37fc725d7d31fbb

SHA1
e00d912fe85156f61fd8cd109d840d2d69b9629b

SHA256
65ebc074b147d65841a467a49f30a5f2f54659a0cc5dc31411467263a37c02df

SHA512
aad73403964228ed690ce3c5383e672b76690f776d4ff38792544c67e6d7b54eb56dd6653f4a89f7954752dae78ca35f738e000ffff07fdfb8ef2af708643186

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\netconn_properties.exe

Filesize
124KB

MD5
95b3716675657cd9114a2fec0ebdaa81

SHA1
e8d1c6f02f5001176f51367466845e57bebb7315

SHA256
e3afd068e68407e0f7428e194eab99ba6ed0eef92e86fa1ff9daa175603acb5c

SHA512
46c00007bd6ad5ea4bb4fd6305007dc87a18c7cdbe2a2fe8f002a81dba02836bb281d859779ae22588ea4c2ed2f9e305f516194f551e24894eefd5b3a23beba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\netconn_properties.exe

Filesize
124KB

MD5
95b3716675657cd9114a2fec0ebdaa81

SHA1
e8d1c6f02f5001176f51367466845e57bebb7315

SHA256
e3afd068e68407e0f7428e194eab99ba6ed0eef92e86fa1ff9daa175603acb5c

SHA512
46c00007bd6ad5ea4bb4fd6305007dc87a18c7cdbe2a2fe8f002a81dba02836bb281d859779ae22588ea4c2ed2f9e305f516194f551e24894eefd5b3a23beba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\netconn_properties.exe

Filesize
124KB

MD5
95b3716675657cd9114a2fec0ebdaa81

SHA1
e8d1c6f02f5001176f51367466845e57bebb7315

SHA256
e3afd068e68407e0f7428e194eab99ba6ed0eef92e86fa1ff9daa175603acb5c

SHA512
46c00007bd6ad5ea4bb4fd6305007dc87a18c7cdbe2a2fe8f002a81dba02836bb281d859779ae22588ea4c2ed2f9e305f516194f551e24894eefd5b3a23beba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\registers.exe

Filesize
113KB

MD5
c23f914f54bdfdbb4189ddabdebec70d

SHA1
8c6a72c231ba921f121c6d13e15f023697ddf045

SHA256
348f47aa5448e5135adc5a4232f3f1b69eb93d83227dd9ab0e060476c7c544bc

SHA512
ae1c3c856c08eec52d7cb46afb5fa3d9cd4a201ce86d07d2a19bd9f7820e44ddece2df8a9577638d1fb112c722c0127e16373c4f6a5b5a30036dd535e1680a12

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\registers.exe

Filesize
113KB

MD5
c23f914f54bdfdbb4189ddabdebec70d

SHA1
8c6a72c231ba921f121c6d13e15f023697ddf045

SHA256
348f47aa5448e5135adc5a4232f3f1b69eb93d83227dd9ab0e060476c7c544bc

SHA512
ae1c3c856c08eec52d7cb46afb5fa3d9cd4a201ce86d07d2a19bd9f7820e44ddece2df8a9577638d1fb112c722c0127e16373c4f6a5b5a30036dd535e1680a12

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe

Filesize
525KB

MD5
8a98406e32ed6139bd9e75342d452948

SHA1
ed77737b88a7351d0bc5f542ddb7ce84f8f95588

SHA256
a4240ea0e8a916d15f8391edef9705ab4de1f516dd360f0a336c5358686d434b

SHA512
f5b17975560d97308a6ee66845225715e82bade9df7bc36821c76fe67fcf8d22929bf21b85e28dd11b7399d0109ab1f3786fd2010c2e5023d3a93d2bd5cf678b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe

Filesize
525KB

MD5
8a98406e32ed6139bd9e75342d452948

SHA1
ed77737b88a7351d0bc5f542ddb7ce84f8f95588

SHA256
a4240ea0e8a916d15f8391edef9705ab4de1f516dd360f0a336c5358686d434b

SHA512
f5b17975560d97308a6ee66845225715e82bade9df7bc36821c76fe67fcf8d22929bf21b85e28dd11b7399d0109ab1f3786fd2010c2e5023d3a93d2bd5cf678b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe

Filesize
525KB

MD5
8a98406e32ed6139bd9e75342d452948

SHA1
ed77737b88a7351d0bc5f542ddb7ce84f8f95588

SHA256
a4240ea0e8a916d15f8391edef9705ab4de1f516dd360f0a336c5358686d434b

SHA512
f5b17975560d97308a6ee66845225715e82bade9df7bc36821c76fe67fcf8d22929bf21b85e28dd11b7399d0109ab1f3786fd2010c2e5023d3a93d2bd5cf678b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe

Filesize
525KB

MD5
8a98406e32ed6139bd9e75342d452948

SHA1
ed77737b88a7351d0bc5f542ddb7ce84f8f95588

SHA256
a4240ea0e8a916d15f8391edef9705ab4de1f516dd360f0a336c5358686d434b

SHA512
f5b17975560d97308a6ee66845225715e82bade9df7bc36821c76fe67fcf8d22929bf21b85e28dd11b7399d0109ab1f3786fd2010c2e5023d3a93d2bd5cf678b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe

Filesize
525KB

MD5
8a98406e32ed6139bd9e75342d452948

SHA1
ed77737b88a7351d0bc5f542ddb7ce84f8f95588

SHA256
a4240ea0e8a916d15f8391edef9705ab4de1f516dd360f0a336c5358686d434b

SHA512
f5b17975560d97308a6ee66845225715e82bade9df7bc36821c76fe67fcf8d22929bf21b85e28dd11b7399d0109ab1f3786fd2010c2e5023d3a93d2bd5cf678b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe

Filesize
525KB

MD5
8a98406e32ed6139bd9e75342d452948

SHA1
ed77737b88a7351d0bc5f542ddb7ce84f8f95588

SHA256
a4240ea0e8a916d15f8391edef9705ab4de1f516dd360f0a336c5358686d434b

SHA512
f5b17975560d97308a6ee66845225715e82bade9df7bc36821c76fe67fcf8d22929bf21b85e28dd11b7399d0109ab1f3786fd2010c2e5023d3a93d2bd5cf678b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe

Filesize
525KB

MD5
8a98406e32ed6139bd9e75342d452948

SHA1
ed77737b88a7351d0bc5f542ddb7ce84f8f95588

SHA256
a4240ea0e8a916d15f8391edef9705ab4de1f516dd360f0a336c5358686d434b

SHA512
f5b17975560d97308a6ee66845225715e82bade9df7bc36821c76fe67fcf8d22929bf21b85e28dd11b7399d0109ab1f3786fd2010c2e5023d3a93d2bd5cf678b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe

Filesize
525KB

MD5
8a98406e32ed6139bd9e75342d452948

SHA1
ed77737b88a7351d0bc5f542ddb7ce84f8f95588

SHA256
a4240ea0e8a916d15f8391edef9705ab4de1f516dd360f0a336c5358686d434b

SHA512
f5b17975560d97308a6ee66845225715e82bade9df7bc36821c76fe67fcf8d22929bf21b85e28dd11b7399d0109ab1f3786fd2010c2e5023d3a93d2bd5cf678b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe

Filesize
525KB

MD5
8a98406e32ed6139bd9e75342d452948

SHA1
ed77737b88a7351d0bc5f542ddb7ce84f8f95588

SHA256
a4240ea0e8a916d15f8391edef9705ab4de1f516dd360f0a336c5358686d434b

SHA512
f5b17975560d97308a6ee66845225715e82bade9df7bc36821c76fe67fcf8d22929bf21b85e28dd11b7399d0109ab1f3786fd2010c2e5023d3a93d2bd5cf678b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe

Filesize
525KB

MD5
8a98406e32ed6139bd9e75342d452948

SHA1
ed77737b88a7351d0bc5f542ddb7ce84f8f95588

SHA256
a4240ea0e8a916d15f8391edef9705ab4de1f516dd360f0a336c5358686d434b

SHA512
f5b17975560d97308a6ee66845225715e82bade9df7bc36821c76fe67fcf8d22929bf21b85e28dd11b7399d0109ab1f3786fd2010c2e5023d3a93d2bd5cf678b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe

Filesize
525KB

MD5
8a98406e32ed6139bd9e75342d452948

SHA1
ed77737b88a7351d0bc5f542ddb7ce84f8f95588

SHA256
a4240ea0e8a916d15f8391edef9705ab4de1f516dd360f0a336c5358686d434b

SHA512
f5b17975560d97308a6ee66845225715e82bade9df7bc36821c76fe67fcf8d22929bf21b85e28dd11b7399d0109ab1f3786fd2010c2e5023d3a93d2bd5cf678b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe

Filesize
525KB

MD5
8a98406e32ed6139bd9e75342d452948

SHA1
ed77737b88a7351d0bc5f542ddb7ce84f8f95588

SHA256
a4240ea0e8a916d15f8391edef9705ab4de1f516dd360f0a336c5358686d434b

SHA512
f5b17975560d97308a6ee66845225715e82bade9df7bc36821c76fe67fcf8d22929bf21b85e28dd11b7399d0109ab1f3786fd2010c2e5023d3a93d2bd5cf678b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe

Filesize
525KB

MD5
8a98406e32ed6139bd9e75342d452948

SHA1
ed77737b88a7351d0bc5f542ddb7ce84f8f95588

SHA256
a4240ea0e8a916d15f8391edef9705ab4de1f516dd360f0a336c5358686d434b

SHA512
f5b17975560d97308a6ee66845225715e82bade9df7bc36821c76fe67fcf8d22929bf21b85e28dd11b7399d0109ab1f3786fd2010c2e5023d3a93d2bd5cf678b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe

Filesize
525KB

MD5
8a98406e32ed6139bd9e75342d452948

SHA1
ed77737b88a7351d0bc5f542ddb7ce84f8f95588

SHA256
a4240ea0e8a916d15f8391edef9705ab4de1f516dd360f0a336c5358686d434b

SHA512
f5b17975560d97308a6ee66845225715e82bade9df7bc36821c76fe67fcf8d22929bf21b85e28dd11b7399d0109ab1f3786fd2010c2e5023d3a93d2bd5cf678b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe

Filesize
525KB

MD5
8a98406e32ed6139bd9e75342d452948

SHA1
ed77737b88a7351d0bc5f542ddb7ce84f8f95588

SHA256
a4240ea0e8a916d15f8391edef9705ab4de1f516dd360f0a336c5358686d434b

SHA512
f5b17975560d97308a6ee66845225715e82bade9df7bc36821c76fe67fcf8d22929bf21b85e28dd11b7399d0109ab1f3786fd2010c2e5023d3a93d2bd5cf678b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe

Filesize
525KB

MD5
8a98406e32ed6139bd9e75342d452948

SHA1
ed77737b88a7351d0bc5f542ddb7ce84f8f95588

SHA256
a4240ea0e8a916d15f8391edef9705ab4de1f516dd360f0a336c5358686d434b

SHA512
f5b17975560d97308a6ee66845225715e82bade9df7bc36821c76fe67fcf8d22929bf21b85e28dd11b7399d0109ab1f3786fd2010c2e5023d3a93d2bd5cf678b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe

Filesize
525KB

MD5
8a98406e32ed6139bd9e75342d452948

SHA1
ed77737b88a7351d0bc5f542ddb7ce84f8f95588

SHA256
a4240ea0e8a916d15f8391edef9705ab4de1f516dd360f0a336c5358686d434b

SHA512
f5b17975560d97308a6ee66845225715e82bade9df7bc36821c76fe67fcf8d22929bf21b85e28dd11b7399d0109ab1f3786fd2010c2e5023d3a93d2bd5cf678b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe

Filesize
525KB

MD5
8a98406e32ed6139bd9e75342d452948

SHA1
ed77737b88a7351d0bc5f542ddb7ce84f8f95588

SHA256
a4240ea0e8a916d15f8391edef9705ab4de1f516dd360f0a336c5358686d434b

SHA512
f5b17975560d97308a6ee66845225715e82bade9df7bc36821c76fe67fcf8d22929bf21b85e28dd11b7399d0109ab1f3786fd2010c2e5023d3a93d2bd5cf678b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe

Filesize
525KB

MD5
8a98406e32ed6139bd9e75342d452948

SHA1
ed77737b88a7351d0bc5f542ddb7ce84f8f95588

SHA256
a4240ea0e8a916d15f8391edef9705ab4de1f516dd360f0a336c5358686d434b

SHA512
f5b17975560d97308a6ee66845225715e82bade9df7bc36821c76fe67fcf8d22929bf21b85e28dd11b7399d0109ab1f3786fd2010c2e5023d3a93d2bd5cf678b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe

Filesize
525KB

MD5
8a98406e32ed6139bd9e75342d452948

SHA1
ed77737b88a7351d0bc5f542ddb7ce84f8f95588

SHA256
a4240ea0e8a916d15f8391edef9705ab4de1f516dd360f0a336c5358686d434b

SHA512
f5b17975560d97308a6ee66845225715e82bade9df7bc36821c76fe67fcf8d22929bf21b85e28dd11b7399d0109ab1f3786fd2010c2e5023d3a93d2bd5cf678b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35162\exe\upx.exe

Filesize
525KB

MD5
8a98406e32ed6139bd9e75342d452948

SHA1
ed77737b88a7351d0bc5f542ddb7ce84f8f95588

SHA256
a4240ea0e8a916d15f8391edef9705ab4de1f516dd360f0a336c5358686d434b

SHA512
f5b17975560d97308a6ee66845225715e82bade9df7bc36821c76fe67fcf8d22929bf21b85e28dd11b7399d0109ab1f3786fd2010c2e5023d3a93d2bd5cf678b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35162\libcrypto-1_1.dll

Filesize
3.3MB

MD5
80b72c24c74d59ae32ba2b0ea5e7dad2

SHA1
75f892e361619e51578b312605201571bfb67ff8

SHA256
eb975c94e5f4292edd9a8207e356fe4ea0c66e802c1e9305323d37185f85ad6d

SHA512
08014ee480b5646362c433b82393160edf9602e4654e12cd9b6d3c24e98c56b46add9bf447c2301a2b2e782f49c444cb8e37ee544f38330c944c87397bdd152a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35162\libcrypto-1_1.dll

Filesize
3.3MB

MD5
80b72c24c74d59ae32ba2b0ea5e7dad2

SHA1
75f892e361619e51578b312605201571bfb67ff8

SHA256
eb975c94e5f4292edd9a8207e356fe4ea0c66e802c1e9305323d37185f85ad6d

SHA512
08014ee480b5646362c433b82393160edf9602e4654e12cd9b6d3c24e98c56b46add9bf447c2301a2b2e782f49c444cb8e37ee544f38330c944c87397bdd152a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35162\libffi-8.dll

Filesize
37KB

MD5
d86a9d75380fab7640bb950aeb05e50e

SHA1
1c61aaf9022cd1f09a959f7b2a65fb1372d187d7

SHA256
68fba9dd89bfad35f8fd657b9af22a8aebda31bffda35058a7f5ae376136e89b

SHA512
18437e64061221be411a1587f634b4b8efa60e661dbc35fd96a6d0e7eff812752de0ada755c01f286efefc47fb5f2daf07953b4cfc4119121b6bee7756c88d0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35162\libffi-8.dll

Filesize
37KB

MD5
d86a9d75380fab7640bb950aeb05e50e

SHA1
1c61aaf9022cd1f09a959f7b2a65fb1372d187d7

SHA256
68fba9dd89bfad35f8fd657b9af22a8aebda31bffda35058a7f5ae376136e89b

SHA512
18437e64061221be411a1587f634b4b8efa60e661dbc35fd96a6d0e7eff812752de0ada755c01f286efefc47fb5f2daf07953b4cfc4119121b6bee7756c88d0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35162\psutil\_psutil_windows.pyd

Filesize
75KB

MD5
5e9fc79283d08421683cb9e08ae5bf15

SHA1
b3021534d2647d90cd6d445772d2e362a04d5ddf

SHA256
d5685e38faccdf97ce6ffe4cf53cbfcf48bb20bf83abe316fba81d1abd093cb6

SHA512
9133011ae8eb0110da9f72a18d26bbc57098a74983af8374d1247b9a336ee32db287ed26f4d010d31a7d64eacdc9cf99a75faab194eff25b04299e5761af1a79

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35162\psutil\_psutil_windows.pyd

Filesize
75KB

MD5
5e9fc79283d08421683cb9e08ae5bf15

SHA1
b3021534d2647d90cd6d445772d2e362a04d5ddf

SHA256
d5685e38faccdf97ce6ffe4cf53cbfcf48bb20bf83abe316fba81d1abd093cb6

SHA512
9133011ae8eb0110da9f72a18d26bbc57098a74983af8374d1247b9a336ee32db287ed26f4d010d31a7d64eacdc9cf99a75faab194eff25b04299e5761af1a79

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35162\python3.DLL

Filesize
65KB

MD5
2ad3039bd03669f99e948f449d9f778b

SHA1
dae8f661990c57adb171667b9206c8d84c50ecad

SHA256
852b901e17022c437f8fc3039a5af2ee80c5d509c9ef5f512041af17c48fcd61

SHA512
8ffeaa6cd491d7068f9176fd628002c84256802bd47a17742909f561ca1da6a2e7c600e17cd983063e8a93c2bbe9b981bd43e55443d28e32dfb504d7f1e120c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35162\python3.dll

Filesize
65KB

MD5
2ad3039bd03669f99e948f449d9f778b

SHA1
dae8f661990c57adb171667b9206c8d84c50ecad

SHA256
852b901e17022c437f8fc3039a5af2ee80c5d509c9ef5f512041af17c48fcd61

SHA512
8ffeaa6cd491d7068f9176fd628002c84256802bd47a17742909f561ca1da6a2e7c600e17cd983063e8a93c2bbe9b981bd43e55443d28e32dfb504d7f1e120c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35162\python3.dll

Filesize
65KB

MD5
2ad3039bd03669f99e948f449d9f778b

SHA1
dae8f661990c57adb171667b9206c8d84c50ecad

SHA256
852b901e17022c437f8fc3039a5af2ee80c5d509c9ef5f512041af17c48fcd61

SHA512
8ffeaa6cd491d7068f9176fd628002c84256802bd47a17742909f561ca1da6a2e7c600e17cd983063e8a93c2bbe9b981bd43e55443d28e32dfb504d7f1e120c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35162\python311.dll

Filesize
5.5MB

MD5
1fe47c83669491bf38a949253d7d960f

SHA1
de5cc181c0e26cbcb31309fe00d9f2f5264d2b25

SHA256
0a9f2c98f36ba8974a944127b5b7e90e638010e472f2eb6598fc55b1bda9e7ae

SHA512
05cc6f00db128fbca02a14f60f86c049855f429013f65d91e14ea292d468bf9bfdeebc00ec2d54a9fb5715743a57ae3ab48a95037016240c02aabe4bfa1a2ff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35162\python311.dll

Filesize
5.5MB

MD5
1fe47c83669491bf38a949253d7d960f

SHA1
de5cc181c0e26cbcb31309fe00d9f2f5264d2b25

SHA256
0a9f2c98f36ba8974a944127b5b7e90e638010e472f2eb6598fc55b1bda9e7ae

SHA512
05cc6f00db128fbca02a14f60f86c049855f429013f65d91e14ea292d468bf9bfdeebc00ec2d54a9fb5715743a57ae3ab48a95037016240c02aabe4bfa1a2ff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35162\pywin32_system32\pythoncom311.dll

Filesize
675KB

MD5
f655cc794762ae686c65b969e83f1e84

SHA1
ac635354ea70333c439aa7f97f2e1759df883e38

SHA256
9111856645f779f137c46d78a68374292fc512a2a4038466476bb9c6024097b5

SHA512
7dde92438d920e832025ae0a54dbf1b7acc6192d937b1babc388706723e92910bd355aa4bb0e8ef6378c71460468537fef9fd3031d048adf0743d48aed229c14

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35162\pywin32_system32\pythoncom311.dll

Filesize
675KB

MD5
f655cc794762ae686c65b969e83f1e84

SHA1
ac635354ea70333c439aa7f97f2e1759df883e38

SHA256
9111856645f779f137c46d78a68374292fc512a2a4038466476bb9c6024097b5

SHA512
7dde92438d920e832025ae0a54dbf1b7acc6192d937b1babc388706723e92910bd355aa4bb0e8ef6378c71460468537fef9fd3031d048adf0743d48aed229c14

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35162\pywin32_system32\pywintypes311.dll

Filesize
134KB

MD5
1696732a242bfaf6a50bd98eb7874f23

SHA1
090a85275c7c67430d511570bab36eb299c7e787

SHA256
6583c15de0f5a1b20c8750b0599e5cf162f91f239f8341bda842485d8bbc9887

SHA512
70a03adb89649cece59e6b84a2f79ad53cf7c308ffaca8b19c0b64b59858e73a75addd131776d54b5bf12b747bcbb1ff9a4ce0e35d06bb995e34c5687dd3a25b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35162\pywin32_system32\pywintypes311.dll

Filesize
134KB

MD5
1696732a242bfaf6a50bd98eb7874f23

SHA1
090a85275c7c67430d511570bab36eb299c7e787

SHA256
6583c15de0f5a1b20c8750b0599e5cf162f91f239f8341bda842485d8bbc9887

SHA512
70a03adb89649cece59e6b84a2f79ad53cf7c308ffaca8b19c0b64b59858e73a75addd131776d54b5bf12b747bcbb1ff9a4ce0e35d06bb995e34c5687dd3a25b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35162\select.pyd

Filesize
29KB

MD5
4ac28414a1d101e94198ae0ac3bd1eb8

SHA1
718fbf58ab92a2be2efdb84d26e4d37eb50ef825

SHA256
b5d4d5b6da675376bd3b2824d9cda957b55fe3d8596d5675381922ef0e64a0f5

SHA512
2ac15e6a178c69115065be9d52c60f8ad63c2a8749af0b43634fc56c20220afb9d2e71ebed76305d7b0dcf86895ed5cdfb7d744c3be49122286b63b5ebce20c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35162\select.pyd

Filesize
29KB

MD5
4ac28414a1d101e94198ae0ac3bd1eb8

SHA1
718fbf58ab92a2be2efdb84d26e4d37eb50ef825

SHA256
b5d4d5b6da675376bd3b2824d9cda957b55fe3d8596d5675381922ef0e64a0f5

SHA512
2ac15e6a178c69115065be9d52c60f8ad63c2a8749af0b43634fc56c20220afb9d2e71ebed76305d7b0dcf86895ed5cdfb7d744c3be49122286b63b5ebce20c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35162\win32api.pyd

Filesize
136KB

MD5
3210cb66deb7f1bbcc46b4c3832c7e10

SHA1
5c5f59a29f5ef204f52fd3a9433b3a27d8a30229

SHA256
bf5147f4fffbffa77d9169b65af13d983e2fcccdbca8151d72814c55939bb2c4

SHA512
5d51ede8f464ca7e151bfaaef0b7e81f5ce16678d35a573cae2994db602c2d93f0463c3936fb896dee1cf5192b69fb1051594efa5d4f248a02226ca50b6bfa5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35162\win32api.pyd

Filesize
136KB

MD5
3210cb66deb7f1bbcc46b4c3832c7e10

SHA1
5c5f59a29f5ef204f52fd3a9433b3a27d8a30229

SHA256
bf5147f4fffbffa77d9169b65af13d983e2fcccdbca8151d72814c55939bb2c4

SHA512
5d51ede8f464ca7e151bfaaef0b7e81f5ce16678d35a573cae2994db602c2d93f0463c3936fb896dee1cf5192b69fb1051594efa5d4f248a02226ca50b6bfa5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35162\win32net.pyd

Filesize
96KB

MD5
cd9f5e5fc0b6d4e98df615fc9ad65bd6

SHA1
107d66711f191d8715221d6f749a0e7d5c734e0f

SHA256
3a9a7e6f02d1f7704298a86e5662b1f62356fc00a8344984d76a83aa524313d6

SHA512
c6b338db08d18a606e6b4f65d2886f0cab01c06fad87a6fc0cd87dbfed7c34895ee9a67d272cf4f8be5bb2b3a8820ad66580db60e6b9492b6ed22c1c57a0c109

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35162\win32net.pyd

Filesize
96KB

MD5
cd9f5e5fc0b6d4e98df615fc9ad65bd6

SHA1
107d66711f191d8715221d6f749a0e7d5c734e0f

SHA256
3a9a7e6f02d1f7704298a86e5662b1f62356fc00a8344984d76a83aa524313d6

SHA512
c6b338db08d18a606e6b4f65d2886f0cab01c06fad87a6fc0cd87dbfed7c34895ee9a67d272cf4f8be5bb2b3a8820ad66580db60e6b9492b6ed22c1c57a0c109

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35162\win32security.pyd

Filesize
143KB

MD5
bff7ba95ce1042f0e66f6bd816bbf89d

SHA1
894a9117d57a7fceecf1a32b0536bdfd6857a5c7

SHA256
9da6bc4dee6d8f6484b77f794527e02a8041d5aef2c308cbcc1eb01e996223a6

SHA512
0d6abba44ba57790fa85006528920b9bfd6224b0509834b7b49f235dd36340aad61a08be140090ffe00de198002fd3200d8d6ee753749e4635a47d1920924374

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35162\win32security.pyd

Filesize
143KB

MD5
bff7ba95ce1042f0e66f6bd816bbf89d

SHA1
894a9117d57a7fceecf1a32b0536bdfd6857a5c7

SHA256
9da6bc4dee6d8f6484b77f794527e02a8041d5aef2c308cbcc1eb01e996223a6

SHA512
0d6abba44ba57790fa85006528920b9bfd6224b0509834b7b49f235dd36340aad61a08be140090ffe00de198002fd3200d8d6ee753749e4635a47d1920924374

Download Submit
memory/216-306-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/216-276-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/216-291-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/360-334-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/360-310-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/412-286-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/440-365-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/456-254-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/456-303-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/460-330-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/472-256-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/472-328-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/476-227-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/808-265-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/832-320-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/840-299-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/948-298-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/948-397-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/1052-417-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/1080-403-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/1080-348-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/1084-271-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/1104-371-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/1176-281-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/1176-296-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/1180-238-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/1200-312-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/1240-223-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/1328-297-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/1388-240-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/1404-357-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/1404-415-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/1404-385-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/1420-411-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/1424-250-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/1452-351-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/1452-349-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/1468-342-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/1584-361-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/1584-231-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/1584-389-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/1736-292-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/1736-387-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/1792-258-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/1836-393-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/1880-332-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/1928-355-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/1968-285-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/1984-282-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/2008-270-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/2012-273-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/2020-316-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/2044-272-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/2084-409-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/2084-379-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/2204-399-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/2208-252-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/2228-274-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/2308-375-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/2400-280-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/2400-338-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/2472-277-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/2472-359-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/2528-242-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/2600-405-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/2672-229-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/2712-269-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/2800-278-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/3012-261-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/3012-220-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/3012-221-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/3136-324-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/3136-302-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/3288-267-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/3292-287-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/3340-268-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/3348-377-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/3348-407-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/3364-288-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/3364-367-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/3364-395-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/3468-423-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/3484-308-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/3564-218-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/3624-246-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/3776-318-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/3780-259-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/3784-225-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/3792-344-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/3900-279-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/3904-275-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/3904-290-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/3944-260-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/4052-304-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/4120-244-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/4140-322-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/4160-419-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/4172-289-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/4232-340-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/4288-373-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/4324-300-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/4424-413-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/4424-383-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/4448-353-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/4460-346-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/4540-264-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/4540-295-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/4560-234-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/4560-233-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/4584-284-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/4604-294-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/4624-236-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/4660-262-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/4664-314-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/4672-336-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/4672-363-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/4744-301-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/4776-266-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/4880-381-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/4888-401-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/4948-248-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/5016-369-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/5036-326-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/5080-391-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/5080-421-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/5088-293-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download
memory/5092-283-0x0000000000400000-0x0000000000603000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.