f0ac3d737f450eb47df7da5825cd5e17f24df008a8ee1ac901e133088a04e968

Analysis

max time kernel
16s
max time network
26s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06-03-2024 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b716b755248d5784df33e2f6f21aa979.exe
Size

39KB
MD5

b716b755248d5784df33e2f6f21aa979
SHA1

6334cbac13f76896c674d50d3ad5c7fcc7de4ab6
SHA256

f0ac3d737f450eb47df7da5825cd5e17f24df008a8ee1ac901e133088a04e968
SHA512

f14e71a25188fda76bf02170f99474aa643d6076ac4644f2ffe0b61feddaaf22d020f50a13a88304a76aef7afee68d644a93ad28afd537c331242d4e6c53ccfb
SSDEEP

768:gleasIfgzZmRCQfI1goVStho4DTslbPfsIm7jFbyULcNENz:q1sTdmRCQg1/VSrGlbs57j1hcNy

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
860	b716b755248d5784df33e2f6f21aa979.exe
1288	mdm.exe
2020	mdm.exe
2080	mdm.exe
3948	mdm.exe
4068	mdm.exe
3936	mdm.exe
1268	mdm.exe
2676	mdm.exe
4100	mdm.exe
2700	mdm.exe
1404	mdm.exe
2352	mdm.exe
1832	mdm.exe
3712	mdm.exe
544	mdm.exe
1888	mdm.exe
4684	mdm.exe
1748	mdm.exe
472	mdm.exe
2488	mdm.exe
1440	mdm.exe
4108	mdm.exe
5072	mdm.exe
2012	mdm.exe
1768	mdm.exe
4224	mdm.exe
4060	mdm.exe
3668	mdm.exe
5004	mdm.exe
2380	mdm.exe
2264	mdm.exe
2180	mdm.exe
4916	mdm.exe
4416	mdm.exe
1196	mdm.exe
1132	mdm.exe
2028	mdm.exe
2596	mdm.exe
4836	mdm.exe
4324	mdm.exe
1120	mdm.exe
4284	mdm.exe
2584	mdm.exe
2276	mdm.exe
656	mdm.exe
2160	mdm.exe
4076	mdm.exe
3032	mdm.exe
1292	mdm.exe
540	mdm.exe
4536	mdm.exe
4828	mdm.exe
3112	mdm.exe
2864	mdm.exe
4728	mdm.exe
2428	mdm.exe
524	mdm.exe
1116	mdm.exe
1324	mdm.exe
4888	mdm.exe
1660	mdm.exe
3176	mdm.exe
4868	mdm.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/860-2-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/860-4-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/860-6-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/2020-16-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/3948-24-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/3936-32-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/3936-31-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/2676-39-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/2700-46-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/2352-53-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/3712-61-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/1888-69-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/1748-77-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/2488-86-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/4108-95-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/2012-101-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/4224-110-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/3668-116-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/2380-126-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/2180-133-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/4416-140-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/4416-145-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/1132-150-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/2596-159-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/4324-165-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/4284-173-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/2276-183-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/2160-189-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/2160-194-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/3032-198-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/3032-204-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/540-209-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/4828-218-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/2864-226-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/2428-234-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/1116-239-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/4888-249-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/3176-258-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/2628-265-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/4064-268-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/4956-274-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/1768-280-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/4612-289-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/3564-295-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/832-299-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/4916-307-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/3204-311-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/2724-317-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/2964-326-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/1448-330-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/4624-336-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/3688-343-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/1884-351-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/4848-354-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/1112-361-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/1760-368-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/3228-372-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/3532-379-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/4692-385-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/4332-391-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/764-397-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/1440-405-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/1988-408-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/4428-416-0x0000000000400000-0x000000000044A000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File opened for modification	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File opened for modification	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File opened for modification	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File opened for modification	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File opened for modification	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File opened for modification	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File opened for modification	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File opened for modification	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File opened for modification	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File opened for modification	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File opened for modification	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File opened for modification	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File opened for modification	C:\Windows\SysWOW64\mdm.exe	b716b755248d5784df33e2f6f21aa979.exe
File opened for modification	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File opened for modification	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File opened for modification	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File opened for modification	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File opened for modification	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File opened for modification	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File opened for modification	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File opened for modification	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File opened for modification	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File opened for modification	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File opened for modification	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File opened for modification	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File opened for modification	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File opened for modification	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File opened for modification	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File opened for modification	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File opened for modification	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File opened for modification	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	b716b755248d5784df33e2f6f21aa979.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File opened for modification	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File opened for modification	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File opened for modification	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File opened for modification	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File opened for modification	C:\Windows\SysWOW64\mdm.exe	mdm.exe

Suspicious use of SetThreadContext 54 IoCs

description	pid	Process	procid_target
PID 852 set thread context of 860	852	b716b755248d5784df33e2f6f21aa979.exe	87
PID 1288 set thread context of 2020	1288	mdm.exe	89
PID 2080 set thread context of 3948	2080	mdm.exe	91
PID 4068 set thread context of 3936	4068	mdm.exe	93
PID 1268 set thread context of 2676	1268	mdm.exe	95
PID 4100 set thread context of 2700	4100	mdm.exe	97
PID 1404 set thread context of 2352	1404	mdm.exe	99
PID 1832 set thread context of 3712	1832	mdm.exe	101
PID 544 set thread context of 1888	544	mdm.exe	103
PID 4684 set thread context of 1748	4684	mdm.exe	105
PID 472 set thread context of 2488	472	mdm.exe	107
PID 1440 set thread context of 4108	1440	mdm.exe	109
PID 5072 set thread context of 2012	5072	mdm.exe	111
PID 1768 set thread context of 4224	1768	mdm.exe	113
PID 4060 set thread context of 3668	4060	mdm.exe	115
PID 5004 set thread context of 2380	5004	mdm.exe	117
PID 2264 set thread context of 2180	2264	mdm.exe	119
PID 4916 set thread context of 4416	4916	mdm.exe	121
PID 1196 set thread context of 1132	1196	mdm.exe	123
PID 2028 set thread context of 2596	2028	mdm.exe	125
PID 4836 set thread context of 4324	4836	mdm.exe	127
PID 1120 set thread context of 4284	1120	mdm.exe	129
PID 2584 set thread context of 2276	2584	mdm.exe	131
PID 656 set thread context of 2160	656	mdm.exe	133
PID 4076 set thread context of 3032	4076	mdm.exe	135
PID 1292 set thread context of 540	1292	mdm.exe	137
PID 4536 set thread context of 4828	4536	mdm.exe	139
PID 3112 set thread context of 2864	3112	mdm.exe	141
PID 4728 set thread context of 2428	4728	mdm.exe	143
PID 524 set thread context of 1116	524	mdm.exe	145
PID 1324 set thread context of 4888	1324	mdm.exe	147
PID 1660 set thread context of 3176	1660	mdm.exe	149
PID 4868 set thread context of 2628	4868	mdm.exe	151
PID 1440 set thread context of 4064	1440	mdm.exe	153
PID 5072 set thread context of 4956	5072	mdm.exe	155
PID 3904 set thread context of 1768	3904	mdm.exe	157
PID 3568 set thread context of 4612	3568	mdm.exe	159
PID 1640 set thread context of 3564	1640	mdm.exe	161
PID 1168 set thread context of 832	1168	mdm.exe	164
PID 4952 set thread context of 4916	4952	mdm.exe	166
PID 3052 set thread context of 3204	3052	mdm.exe	168
PID 4320 set thread context of 2724	4320	mdm.exe	170
PID 4912 set thread context of 2964	4912	mdm.exe	172
PID 3024 set thread context of 1448	3024	mdm.exe	174
PID 4288 set thread context of 4624	4288	mdm.exe	176
PID 2880 set thread context of 3688	2880	mdm.exe	178
PID 640 set thread context of 1884	640	mdm.exe	180
PID 2072 set thread context of 4848	2072	mdm.exe	182
PID 112 set thread context of 1112	112	mdm.exe	184
PID 1056 set thread context of 1760	1056	mdm.exe	187
PID 4872 set thread context of 3228	4872	mdm.exe	189
PID 4000 set thread context of 3532	4000	mdm.exe	191
PID 2016 set thread context of 4692	2016	mdm.exe	193
PID 4312 set thread context of 4332	4312	mdm.exe	195

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 852 wrote to memory of 860	852	b716b755248d5784df33e2f6f21aa979.exe	87
PID 852 wrote to memory of 860	852	b716b755248d5784df33e2f6f21aa979.exe	87
PID 852 wrote to memory of 860	852	b716b755248d5784df33e2f6f21aa979.exe	87
PID 852 wrote to memory of 860	852	b716b755248d5784df33e2f6f21aa979.exe	87
PID 852 wrote to memory of 860	852	b716b755248d5784df33e2f6f21aa979.exe	87
PID 860 wrote to memory of 1288	860	b716b755248d5784df33e2f6f21aa979.exe	88
PID 860 wrote to memory of 1288	860	b716b755248d5784df33e2f6f21aa979.exe	88
PID 860 wrote to memory of 1288	860	b716b755248d5784df33e2f6f21aa979.exe	88
PID 1288 wrote to memory of 2020	1288	mdm.exe	89
PID 1288 wrote to memory of 2020	1288	mdm.exe	89
PID 1288 wrote to memory of 2020	1288	mdm.exe	89
PID 1288 wrote to memory of 2020	1288	mdm.exe	89
PID 1288 wrote to memory of 2020	1288	mdm.exe	89
PID 2020 wrote to memory of 2080	2020	mdm.exe	90
PID 2020 wrote to memory of 2080	2020	mdm.exe	90
PID 2020 wrote to memory of 2080	2020	mdm.exe	90
PID 2080 wrote to memory of 3948	2080	mdm.exe	91
PID 2080 wrote to memory of 3948	2080	mdm.exe	91
PID 2080 wrote to memory of 3948	2080	mdm.exe	91
PID 2080 wrote to memory of 3948	2080	mdm.exe	91
PID 2080 wrote to memory of 3948	2080	mdm.exe	91
PID 3948 wrote to memory of 4068	3948	mdm.exe	92
PID 3948 wrote to memory of 4068	3948	mdm.exe	92
PID 3948 wrote to memory of 4068	3948	mdm.exe	92
PID 4068 wrote to memory of 3936	4068	mdm.exe	93
PID 4068 wrote to memory of 3936	4068	mdm.exe	93
PID 4068 wrote to memory of 3936	4068	mdm.exe	93
PID 4068 wrote to memory of 3936	4068	mdm.exe	93
PID 4068 wrote to memory of 3936	4068	mdm.exe	93
PID 3936 wrote to memory of 1268	3936	mdm.exe	94
PID 3936 wrote to memory of 1268	3936	mdm.exe	94
PID 3936 wrote to memory of 1268	3936	mdm.exe	94
PID 1268 wrote to memory of 2676	1268	mdm.exe	95
PID 1268 wrote to memory of 2676	1268	mdm.exe	95
PID 1268 wrote to memory of 2676	1268	mdm.exe	95
PID 1268 wrote to memory of 2676	1268	mdm.exe	95
PID 1268 wrote to memory of 2676	1268	mdm.exe	95
PID 2676 wrote to memory of 4100	2676	mdm.exe	96
PID 2676 wrote to memory of 4100	2676	mdm.exe	96
PID 2676 wrote to memory of 4100	2676	mdm.exe	96
PID 4100 wrote to memory of 2700	4100	mdm.exe	97
PID 4100 wrote to memory of 2700	4100	mdm.exe	97
PID 4100 wrote to memory of 2700	4100	mdm.exe	97
PID 4100 wrote to memory of 2700	4100	mdm.exe	97
PID 4100 wrote to memory of 2700	4100	mdm.exe	97
PID 2700 wrote to memory of 1404	2700	mdm.exe	98
PID 2700 wrote to memory of 1404	2700	mdm.exe	98
PID 2700 wrote to memory of 1404	2700	mdm.exe	98
PID 1404 wrote to memory of 2352	1404	mdm.exe	99
PID 1404 wrote to memory of 2352	1404	mdm.exe	99
PID 1404 wrote to memory of 2352	1404	mdm.exe	99
PID 1404 wrote to memory of 2352	1404	mdm.exe	99
PID 1404 wrote to memory of 2352	1404	mdm.exe	99
PID 2352 wrote to memory of 1832	2352	mdm.exe	100
PID 2352 wrote to memory of 1832	2352	mdm.exe	100
PID 2352 wrote to memory of 1832	2352	mdm.exe	100
PID 1832 wrote to memory of 3712	1832	mdm.exe	101
PID 1832 wrote to memory of 3712	1832	mdm.exe	101
PID 1832 wrote to memory of 3712	1832	mdm.exe	101
PID 1832 wrote to memory of 3712	1832	mdm.exe	101
PID 1832 wrote to memory of 3712	1832	mdm.exe	101
PID 3712 wrote to memory of 544	3712	mdm.exe	102
PID 3712 wrote to memory of 544	3712	mdm.exe	102
PID 3712 wrote to memory of 544	3712	mdm.exe	102

C:\Users\Admin\AppData\Local\Temp\b716b755248d5784df33e2f6f21aa979.exe
"C:\Users\Admin\AppData\Local\Temp\b716b755248d5784df33e2f6f21aa979.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:852
- C:\Users\Admin\AppData\Local\Temp\b716b755248d5784df33e2f6f21aa979.exe
  C:\Users\Admin\AppData\Local\Temp\b716b755248d5784df33e2f6f21aa979.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:860
- - C:\Windows\SysWOW64\mdm.exe
    "C:\Windows\system32\mdm.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1288
  - - C:\Windows\SysWOW64\mdm.exe
      C:\Windows\SysWOW64\mdm.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2020
    - - C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2080
      - C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4068
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3936
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1268
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:4100
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1404
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1832
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3712
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        
        PID:544
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1888
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        
        PID:4684
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1748
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        
        PID:472
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2488
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        
        PID:1440
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        24⤵
        Executes dropped EXE
        
        PID:4108
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        
        PID:5072
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2012
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        
        PID:1768
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        28⤵
        Executes dropped EXE
        
        PID:4224
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        
        PID:4060
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        30⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3668
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        
        PID:5004
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2380
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2264
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        34⤵
        Executes dropped EXE
        
        PID:2180
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4916
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        36⤵
        Executes dropped EXE
        
        PID:4416
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1196
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        38⤵
        Executes dropped EXE
        
        PID:1132
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        
        PID:2028
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        40⤵
        Executes dropped EXE
        
        PID:2596
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4836
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        42⤵
        Executes dropped EXE
        
        PID:4324
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        43⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        
        PID:1120
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        44⤵
        Executes dropped EXE
        
        PID:4284
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        
        PID:2584
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        46⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2276
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:656
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        48⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2160
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        49⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        
        PID:4076
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        50⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3032
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1292
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        52⤵
        Executes dropped EXE
        
        PID:540
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        
        PID:4536
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        54⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4828
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        
        PID:3112
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2864
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        57⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        
        PID:4728
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        58⤵
        Executes dropped EXE
        
        PID:2428
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        59⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        
        PID:524
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        60⤵
        Executes dropped EXE
        
        PID:1116
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        61⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        
        PID:1324
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        62⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4888
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        
        PID:1660
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3176
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        
        PID:4868
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        66⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        67⤵
        Suspicious use of SetThreadContext
        
        PID:1440
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        68⤵
        Drops file in System32 directory
        
        PID:4064
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        69⤵
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        
        PID:5072
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        70⤵
        Drops file in System32 directory
        
        PID:4956
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        71⤵
        Suspicious use of SetThreadContext
        
        PID:3904
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        72⤵
        Drops file in System32 directory
        
        PID:1768
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        73⤵
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        
        PID:3568
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        74⤵
        Drops file in System32 directory
        
        PID:4612
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        75⤵
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        
        PID:1640
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        76⤵
        Drops file in System32 directory
        
        PID:3564
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        77⤵
        Suspicious use of SetThreadContext
        
        PID:1168
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        78⤵
        
        PID:832
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        79⤵
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        
        PID:4952
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        80⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        81⤵
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        
        PID:3052
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        82⤵
        Drops file in System32 directory
        
        PID:3204
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        83⤵
        Suspicious use of SetThreadContext
        
        PID:4320
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        84⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        85⤵
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        
        PID:4912
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        86⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        87⤵
        Suspicious use of SetThreadContext
        
        PID:3024
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        88⤵
        Drops file in System32 directory
        
        PID:1448
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        89⤵
        Suspicious use of SetThreadContext
        
        PID:4288
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        90⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        91⤵
        Suspicious use of SetThreadContext
        
        PID:2880
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        92⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        93⤵
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        
        PID:640
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        94⤵
        
        PID:1884
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        95⤵
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        
        PID:2072
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        96⤵
        
        PID:4848
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        97⤵
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        
        PID:112
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        98⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        99⤵
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        
        PID:1056
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        100⤵
        Drops file in System32 directory
        
        PID:1760
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        101⤵
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        
        PID:4872
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        102⤵
        Drops file in System32 directory
        
        PID:3228
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        103⤵
        Suspicious use of SetThreadContext
        
        PID:4000
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        104⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        105⤵
        Suspicious use of SetThreadContext
        
        PID:2016
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        106⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        107⤵
        Suspicious use of SetThreadContext
        
        PID:4312
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        108⤵
        Drops file in System32 directory
        
        PID:4332
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        109⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        110⤵
        
        PID:764
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        111⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        112⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        113⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        114⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        115⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        116⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        117⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        118⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        119⤵
        
        PID:412
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        120⤵
        
        PID:856
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        121⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        122⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        123⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        124⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        125⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        126⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        127⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        128⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        129⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        130⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        131⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        132⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        133⤵
        
        PID:852
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        134⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        135⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        136⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        137⤵
        
        PID:1512
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        138⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        139⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        140⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        141⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        142⤵
        
        PID:3356
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        143⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        144⤵
        
        PID:1404
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        145⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        146⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        147⤵
        
        PID:520
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        148⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        149⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        150⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        151⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        152⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        153⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        154⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        155⤵
        
        PID:1840
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        156⤵
        
        PID:224
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        157⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        158⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        159⤵
        
        PID:564
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        160⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        161⤵
        
        PID:448
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        162⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        163⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        164⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        165⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        166⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        167⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        168⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        169⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        170⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        171⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        172⤵
        
        PID:788
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        173⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        174⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        175⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        176⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        177⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        178⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        179⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        180⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        181⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        182⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        183⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        184⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        185⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        186⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        187⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        188⤵
        
        PID:60
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        189⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        190⤵
        
        PID:3172

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\b716b755248d5784df33e2f6f21aa979.exe

Filesize
39KB

MD5
b716b755248d5784df33e2f6f21aa979

SHA1
6334cbac13f76896c674d50d3ad5c7fcc7de4ab6

SHA256
f0ac3d737f450eb47df7da5825cd5e17f24df008a8ee1ac901e133088a04e968

SHA512
f14e71a25188fda76bf02170f99474aa643d6076ac4644f2ffe0b61feddaaf22d020f50a13a88304a76aef7afee68d644a93ad28afd537c331242d4e6c53ccfb

Download Submit
memory/540-209-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/764-397-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/832-299-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/856-426-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/860-0-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/860-4-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/860-6-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/860-2-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1112-361-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1116-239-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1132-150-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1440-405-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1448-330-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1748-77-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1760-368-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1768-280-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1884-351-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1888-69-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1988-408-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2012-101-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2020-16-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2160-194-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2160-189-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2180-133-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2276-183-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2352-53-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2380-126-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2428-234-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2488-86-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2596-159-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2628-265-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2676-39-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2700-46-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2724-317-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2864-226-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2964-326-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/3028-420-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/3032-198-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/3032-204-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/3176-258-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/3176-287-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/3204-311-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/3228-372-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/3532-379-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/3564-325-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/3564-295-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/3668-116-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/3688-343-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/3712-61-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/3896-432-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/3936-32-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/3936-31-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/3948-24-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/4064-268-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/4108-95-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/4224-110-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/4284-173-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/4324-165-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/4332-391-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/4416-145-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/4416-140-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/4428-416-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/4612-289-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/4624-336-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/4692-385-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/4828-218-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/4828-257-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/4848-354-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/4888-249-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/4916-307-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/4956-274-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download