78cb48d4f58ead0a1d6b9e20bccfd164c53a541f4476b3007b41087dea5f269b

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
12-07-2024 05:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c2a0e83750ce5f730fc5d68bb22d93f_JaffaCakes118.exe
Size

22KB
MD5

3c2a0e83750ce5f730fc5d68bb22d93f
SHA1

525be3e7e672cea78e070f1480e3521da9694bdd
SHA256

78cb48d4f58ead0a1d6b9e20bccfd164c53a541f4476b3007b41087dea5f269b
SHA512

98c9ea640f0970902528be640d4ae0fcdde70a9dba5e47e63981be580cfbe47f3543c68cfd03d14b492f5dc35ce1b4c880357002b3f9b49dabb3143079d92549
SSDEEP

384:ypsSpg11+XCEuQ+M31f1AVe2NUwznHPPbMcYmszuK/UActaaKnhLIgL:aps8Cqxf1j2NUOoXzXTZ

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
2820	mdm.exe
2908	mdm.exe
2672	mdm.exe
2736	mdm.exe
2668	mdm.exe
2588	mdm.exe
2980	mdm.exe
2368	mdm.exe
976	mdm.exe
1688	mdm.exe
1900	mdm.exe
2880	mdm.exe
2284	mdm.exe
2252	mdm.exe
1844	mdm.exe
1604	mdm.exe
1696	mdm.exe
1036	mdm.exe
2768	mdm.exe
1876	mdm.exe
1488	mdm.exe
828	mdm.exe
2060	mdm.exe
1944	mdm.exe
2924	mdm.exe
1052	mdm.exe
2948	mdm.exe
832	mdm.exe
2528	mdm.exe
1720	mdm.exe
1092	mdm.exe
2636	mdm.exe
1056	mdm.exe
1664	mdm.exe
892	mdm.exe
936	mdm.exe
2116	mdm.exe
2004	mdm.exe
1892	mdm.exe
2896	mdm.exe
1060	mdm.exe
1636	mdm.exe
2464	mdm.exe
2360	mdm.exe
2164	mdm.exe
2700	mdm.exe
2772	mdm.exe
2688	mdm.exe
2816	mdm.exe
2680	mdm.exe
2728	mdm.exe
2840	mdm.exe
1552	mdm.exe
1560	mdm.exe
2976	mdm.exe
2696	mdm.exe
2576	mdm.exe
2620	mdm.exe
2112	mdm.exe
484	mdm.exe
752	mdm.exe
1168	mdm.exe
284	mdm.exe
724	mdm.exe

Loads dropped DLL 64 IoCs

pid	Process
3044	3c2a0e83750ce5f730fc5d68bb22d93f_JaffaCakes118.exe
3044	3c2a0e83750ce5f730fc5d68bb22d93f_JaffaCakes118.exe
2820	mdm.exe
2908	mdm.exe
2908	mdm.exe
2672	mdm.exe
2736	mdm.exe
2736	mdm.exe
2668	mdm.exe
2588	mdm.exe
2588	mdm.exe
2980	mdm.exe
2368	mdm.exe
2368	mdm.exe
976	mdm.exe
1688	mdm.exe
1688	mdm.exe
1900	mdm.exe
2880	mdm.exe
2880	mdm.exe
2284	mdm.exe
2252	mdm.exe
2252	mdm.exe
1844	mdm.exe
1604	mdm.exe
1604	mdm.exe
1696	mdm.exe
1036	mdm.exe
1036	mdm.exe
2768	mdm.exe
1876	mdm.exe
1876	mdm.exe
1488	mdm.exe
828	mdm.exe
828	mdm.exe
2060	mdm.exe
1944	mdm.exe
1944	mdm.exe
2924	mdm.exe
1052	mdm.exe
1052	mdm.exe
2948	mdm.exe
832	mdm.exe
832	mdm.exe
2528	mdm.exe
1720	mdm.exe
1720	mdm.exe
2636	mdm.exe
2636	mdm.exe
1664	mdm.exe
1664	mdm.exe
936	mdm.exe
936	mdm.exe
2004	mdm.exe
2004	mdm.exe
2896	mdm.exe
2896	mdm.exe
1636	mdm.exe
1636	mdm.exe
2360	mdm.exe
2360	mdm.exe
2700	mdm.exe
2700	mdm.exe
2688	mdm.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3044-5-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/3044-8-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2908-34-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2736-43-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2588-58-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2588-64-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2736-48-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2908-28-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/3044-6-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/3044-10-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2368-71-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2368-76-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1688-84-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1688-89-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2880-99-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2252-115-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1604-124-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1604-130-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1036-143-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1876-155-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/828-163-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/828-169-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1944-183-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1052-191-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/832-199-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1720-207-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2636-215-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1664-223-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/936-231-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2896-247-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2004-239-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1636-255-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2360-261-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2700-268-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2700-272-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2688-280-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2680-289-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2840-297-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1560-305-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2696-313-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2620-321-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/484-329-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1168-337-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/724-345-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2888-353-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1860-361-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1916-369-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2452-377-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1708-385-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1352-393-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2108-401-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1980-409-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2140-415-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2952-425-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2204-441-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1936-433-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1520-449-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1648-454-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1648-458-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2968-466-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/600-474-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/2524-482-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/680-490-0x0000000000400000-0x000000000044B000-memory.dmp	upx
behavioral1/memory/1200-498-0x0000000000400000-0x000000000044B000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	3c2a0e83750ce5f730fc5d68bb22d93f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File opened for modification	C:\Windows\SysWOW64\mdm.exe	3c2a0e83750ce5f730fc5d68bb22d93f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe
File created	C:\Windows\SysWOW64\mdm.exe	mdm.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 2164 set thread context of 3044	2164	3c2a0e83750ce5f730fc5d68bb22d93f_JaffaCakes118.exe	30
PID 2820 set thread context of 2908	2820	mdm.exe	32
PID 2672 set thread context of 2736	2672	mdm.exe	34
PID 2668 set thread context of 2588	2668	mdm.exe	36
PID 2980 set thread context of 2368	2980	mdm.exe	38
PID 976 set thread context of 1688	976	mdm.exe	40
PID 1900 set thread context of 2880	1900	mdm.exe	42
PID 2284 set thread context of 2252	2284	mdm.exe	44
PID 1844 set thread context of 1604	1844	mdm.exe	46
PID 1696 set thread context of 1036	1696	mdm.exe	48
PID 2768 set thread context of 1876	2768	mdm.exe	50
PID 1488 set thread context of 828	1488	mdm.exe	52
PID 2060 set thread context of 1944	2060	mdm.exe	54
PID 2924 set thread context of 1052	2924	mdm.exe	56
PID 2948 set thread context of 832	2948	mdm.exe	58
PID 2528 set thread context of 1720	2528	mdm.exe	60
PID 1092 set thread context of 2636	1092	mdm.exe	62
PID 1056 set thread context of 1664	1056	mdm.exe	64
PID 892 set thread context of 936	892	mdm.exe	66
PID 2116 set thread context of 2004	2116	mdm.exe	68
PID 1892 set thread context of 2896	1892	mdm.exe	70
PID 1060 set thread context of 1636	1060	mdm.exe	72
PID 2464 set thread context of 2360	2464	mdm.exe	74
PID 2164 set thread context of 2700	2164	mdm.exe	76
PID 2772 set thread context of 2688	2772	mdm.exe	78
PID 2816 set thread context of 2680	2816	mdm.exe	80
PID 2728 set thread context of 2840	2728	mdm.exe	82
PID 1552 set thread context of 1560	1552	mdm.exe	84
PID 2976 set thread context of 2696	2976	mdm.exe	86
PID 2576 set thread context of 2620	2576	mdm.exe	88
PID 2112 set thread context of 484	2112	mdm.exe	90
PID 752 set thread context of 1168	752	mdm.exe	92
PID 284 set thread context of 724	284	mdm.exe	94
PID 2876 set thread context of 2888	2876	mdm.exe	96
PID 2652 set thread context of 1860	2652	mdm.exe	98
PID 812 set thread context of 1916	812	mdm.exe	100
PID 1656 set thread context of 2452	1656	mdm.exe	102
PID 1868 set thread context of 1708	1868	mdm.exe	104
PID 2544 set thread context of 1352	2544	mdm.exe	106
PID 1444 set thread context of 2108	1444	mdm.exe	108
PID 1740 set thread context of 1980	1740	mdm.exe	110
PID 2388 set thread context of 2140	2388	mdm.exe	112
PID 2264 set thread context of 2952	2264	mdm.exe	114
PID 2176 set thread context of 1936	2176	mdm.exe	116
PID 444 set thread context of 2204	444	mdm.exe	118
PID 1588 set thread context of 1520	1588	mdm.exe	120
PID 3008 set thread context of 1648	3008	mdm.exe	122
PID 3012 set thread context of 2968	3012	mdm.exe	124
PID 2320 set thread context of 600	2320	mdm.exe	126
PID 2336 set thread context of 2524	2336	mdm.exe	128
PID 2308 set thread context of 680	2308	mdm.exe	130
PID 2212 set thread context of 1200	2212	mdm.exe	132
PID 2684 set thread context of 2828	2684	mdm.exe	134
PID 2564 set thread context of 2592	2564	mdm.exe	136
PID 2756 set thread context of 2608	2756	mdm.exe	138
PID 1564 set thread context of 2628	1564	mdm.exe	140
PID 2292 set thread context of 2812	2292	mdm.exe	142
PID 2992 set thread context of 1972	2992	mdm.exe	144
PID 692 set thread context of 1612	692	mdm.exe	146
PID 572 set thread context of 1472	572	mdm.exe	148
PID 2852 set thread context of 2876	2852	mdm.exe	150
PID 2192 set thread context of 2380	2192	mdm.exe	152
PID 304 set thread context of 2884	304	mdm.exe	154
PID 1844 set thread context of 1696	1844	mdm.exe	156

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 3044	2164	3c2a0e83750ce5f730fc5d68bb22d93f_JaffaCakes118.exe	30
PID 2164 wrote to memory of 3044	2164	3c2a0e83750ce5f730fc5d68bb22d93f_JaffaCakes118.exe	30
PID 2164 wrote to memory of 3044	2164	3c2a0e83750ce5f730fc5d68bb22d93f_JaffaCakes118.exe	30
PID 2164 wrote to memory of 3044	2164	3c2a0e83750ce5f730fc5d68bb22d93f_JaffaCakes118.exe	30
PID 2164 wrote to memory of 3044	2164	3c2a0e83750ce5f730fc5d68bb22d93f_JaffaCakes118.exe	30
PID 2164 wrote to memory of 3044	2164	3c2a0e83750ce5f730fc5d68bb22d93f_JaffaCakes118.exe	30
PID 3044 wrote to memory of 2820	3044	3c2a0e83750ce5f730fc5d68bb22d93f_JaffaCakes118.exe	31
PID 3044 wrote to memory of 2820	3044	3c2a0e83750ce5f730fc5d68bb22d93f_JaffaCakes118.exe	31
PID 3044 wrote to memory of 2820	3044	3c2a0e83750ce5f730fc5d68bb22d93f_JaffaCakes118.exe	31
PID 3044 wrote to memory of 2820	3044	3c2a0e83750ce5f730fc5d68bb22d93f_JaffaCakes118.exe	31
PID 2820 wrote to memory of 2908	2820	mdm.exe	32
PID 2820 wrote to memory of 2908	2820	mdm.exe	32
PID 2820 wrote to memory of 2908	2820	mdm.exe	32
PID 2820 wrote to memory of 2908	2820	mdm.exe	32
PID 2820 wrote to memory of 2908	2820	mdm.exe	32
PID 2820 wrote to memory of 2908	2820	mdm.exe	32
PID 2908 wrote to memory of 2672	2908	mdm.exe	33
PID 2908 wrote to memory of 2672	2908	mdm.exe	33
PID 2908 wrote to memory of 2672	2908	mdm.exe	33
PID 2908 wrote to memory of 2672	2908	mdm.exe	33
PID 2672 wrote to memory of 2736	2672	mdm.exe	34
PID 2672 wrote to memory of 2736	2672	mdm.exe	34
PID 2672 wrote to memory of 2736	2672	mdm.exe	34
PID 2672 wrote to memory of 2736	2672	mdm.exe	34
PID 2672 wrote to memory of 2736	2672	mdm.exe	34
PID 2672 wrote to memory of 2736	2672	mdm.exe	34
PID 2736 wrote to memory of 2668	2736	mdm.exe	35
PID 2736 wrote to memory of 2668	2736	mdm.exe	35
PID 2736 wrote to memory of 2668	2736	mdm.exe	35
PID 2736 wrote to memory of 2668	2736	mdm.exe	35
PID 2668 wrote to memory of 2588	2668	mdm.exe	36
PID 2668 wrote to memory of 2588	2668	mdm.exe	36
PID 2668 wrote to memory of 2588	2668	mdm.exe	36
PID 2668 wrote to memory of 2588	2668	mdm.exe	36
PID 2668 wrote to memory of 2588	2668	mdm.exe	36
PID 2668 wrote to memory of 2588	2668	mdm.exe	36
PID 2588 wrote to memory of 2980	2588	mdm.exe	37
PID 2588 wrote to memory of 2980	2588	mdm.exe	37
PID 2588 wrote to memory of 2980	2588	mdm.exe	37
PID 2588 wrote to memory of 2980	2588	mdm.exe	37
PID 2980 wrote to memory of 2368	2980	mdm.exe	38
PID 2980 wrote to memory of 2368	2980	mdm.exe	38
PID 2980 wrote to memory of 2368	2980	mdm.exe	38
PID 2980 wrote to memory of 2368	2980	mdm.exe	38
PID 2980 wrote to memory of 2368	2980	mdm.exe	38
PID 2980 wrote to memory of 2368	2980	mdm.exe	38
PID 2368 wrote to memory of 976	2368	mdm.exe	39
PID 2368 wrote to memory of 976	2368	mdm.exe	39
PID 2368 wrote to memory of 976	2368	mdm.exe	39
PID 2368 wrote to memory of 976	2368	mdm.exe	39
PID 976 wrote to memory of 1688	976	mdm.exe	40
PID 976 wrote to memory of 1688	976	mdm.exe	40
PID 976 wrote to memory of 1688	976	mdm.exe	40
PID 976 wrote to memory of 1688	976	mdm.exe	40
PID 976 wrote to memory of 1688	976	mdm.exe	40
PID 976 wrote to memory of 1688	976	mdm.exe	40
PID 1688 wrote to memory of 1900	1688	mdm.exe	41
PID 1688 wrote to memory of 1900	1688	mdm.exe	41
PID 1688 wrote to memory of 1900	1688	mdm.exe	41
PID 1688 wrote to memory of 1900	1688	mdm.exe	41
PID 1900 wrote to memory of 2880	1900	mdm.exe	42
PID 1900 wrote to memory of 2880	1900	mdm.exe	42
PID 1900 wrote to memory of 2880	1900	mdm.exe	42
PID 1900 wrote to memory of 2880	1900	mdm.exe	42

C:\Users\Admin\AppData\Local\Temp\3c2a0e83750ce5f730fc5d68bb22d93f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3c2a0e83750ce5f730fc5d68bb22d93f_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Users\Admin\AppData\Local\Temp\3c2a0e83750ce5f730fc5d68bb22d93f_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\3c2a0e83750ce5f730fc5d68bb22d93f_JaffaCakes118.exe
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Windows\SysWOW64\mdm.exe
    "C:\Windows\system32\mdm.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Windows\SysWOW64\mdm.exe
      C:\Windows\SysWOW64\mdm.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2908
    - - C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2672
      - C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:976
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2880
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2284
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2252
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1844
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1604
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1696
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1036
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2768
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1876
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1488
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:828
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2060
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1944
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2924
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1052
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2948
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:832
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:2528
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1720
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1092
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        34⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2636
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1056
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        36⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1664
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:892
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        38⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:936
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2116
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        40⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2004
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1892
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        42⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2896
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1060
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        44⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1636
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2464
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        46⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2360
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2164
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        48⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2700
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2772
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        50⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2688
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2816
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        52⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2680
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2728
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        54⤵
        Executes dropped EXE
        
        PID:2840
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1552
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1560
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2976
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        58⤵
        Executes dropped EXE
        
        PID:2696
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2576
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        60⤵
        Executes dropped EXE
        
        PID:2620
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2112
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        62⤵
        Executes dropped EXE
        
        PID:484
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        63⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:752
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        64⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1168
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        65⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:284
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        66⤵
        Executes dropped EXE
        
        PID:724
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        67⤵
        Suspicious use of SetThreadContext
        
        PID:2876
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        68⤵
        Drops file in System32 directory
        
        PID:2888
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        69⤵
        Suspicious use of SetThreadContext
        
        PID:2652
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        70⤵
        Drops file in System32 directory
        
        PID:1860
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        71⤵
        Suspicious use of SetThreadContext
        
        PID:812
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        72⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        73⤵
        Suspicious use of SetThreadContext
        
        PID:1656
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        74⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        75⤵
        Suspicious use of SetThreadContext
        
        PID:1868
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        76⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        77⤵
        Suspicious use of SetThreadContext
        
        PID:2544
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        78⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        79⤵
        Suspicious use of SetThreadContext
        
        PID:1444
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        80⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        81⤵
        Suspicious use of SetThreadContext
        
        PID:1740
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        82⤵
        Drops file in System32 directory
        
        PID:1980
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        83⤵
        Suspicious use of SetThreadContext
        
        PID:2388
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        84⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        85⤵
        Suspicious use of SetThreadContext
        
        PID:2264
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        86⤵
        Drops file in System32 directory
        
        PID:2952
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        87⤵
        Suspicious use of SetThreadContext
        
        PID:2176
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        88⤵
        Drops file in System32 directory
        
        PID:1936
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        89⤵
        Suspicious use of SetThreadContext
        
        PID:444
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        90⤵
        Drops file in System32 directory
        
        PID:2204
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        91⤵
        Suspicious use of SetThreadContext
        
        PID:1588
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        92⤵
        Drops file in System32 directory
        
        PID:1520
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        93⤵
        Suspicious use of SetThreadContext
        
        PID:3008
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        94⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        95⤵
        Suspicious use of SetThreadContext
        
        PID:3012
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        96⤵
        Drops file in System32 directory
        
        PID:2968
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        97⤵
        Suspicious use of SetThreadContext
        
        PID:2320
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        98⤵
        
        PID:600
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        99⤵
        Suspicious use of SetThreadContext
        
        PID:2336
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        100⤵
        
        PID:2524
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        101⤵
        Suspicious use of SetThreadContext
        
        PID:2308
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        102⤵
        
        PID:680
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        103⤵
        Suspicious use of SetThreadContext
        
        PID:2212
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        104⤵
        Drops file in System32 directory
        
        PID:1200
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        105⤵
        Suspicious use of SetThreadContext
        
        PID:2684
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        106⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        107⤵
        Suspicious use of SetThreadContext
        
        PID:2564
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        108⤵
        Drops file in System32 directory
        
        PID:2592
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        109⤵
        Suspicious use of SetThreadContext
        
        PID:2756
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        110⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        111⤵
        Suspicious use of SetThreadContext
        
        PID:1564
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        112⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        113⤵
        Suspicious use of SetThreadContext
        
        PID:2292
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        114⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        115⤵
        Suspicious use of SetThreadContext
        
        PID:2992
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        116⤵
        Drops file in System32 directory
        
        PID:1972
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        117⤵
        Suspicious use of SetThreadContext
        
        PID:692
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        118⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        119⤵
        Suspicious use of SetThreadContext
        
        PID:572
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        120⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        121⤵
        Suspicious use of SetThreadContext
        
        PID:2852
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        122⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        123⤵
        Suspicious use of SetThreadContext
        
        PID:2192
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        124⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        125⤵
        Suspicious use of SetThreadContext
        
        PID:304
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        126⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        127⤵
        Suspicious use of SetThreadContext
        
        PID:1844
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        128⤵
        Drops file in System32 directory
        
        PID:1696
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        129⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        130⤵
        Drops file in System32 directory
        
        PID:2784
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        131⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        132⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        133⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        134⤵
        Drops file in System32 directory
        
        PID:2844
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        135⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        136⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        137⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        138⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        139⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        140⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        141⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        142⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        143⤵
        
        PID:980
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        144⤵
        Drops file in System32 directory
        
        PID:1588
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        145⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        146⤵
        Drops file in System32 directory
        
        PID:1692
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        147⤵
        
        PID:684
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        148⤵
        
        PID:696
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        149⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        150⤵
        Drops file in System32 directory
        
        PID:2320
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        151⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        152⤵
        Drops file in System32 directory
        
        PID:2336
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        153⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        154⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        155⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        156⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        157⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        158⤵
        Drops file in System32 directory
        
        PID:2772
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        159⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        160⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        161⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        162⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        163⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        164⤵
        Drops file in System32 directory
        
        PID:2676
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        165⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        166⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        167⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        168⤵
        Drops file in System32 directory
        
        PID:2984
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        169⤵
        
        PID:776
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        170⤵
        Drops file in System32 directory
        
        PID:1016
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        171⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        172⤵
        Drops file in System32 directory
        
        PID:2444
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        173⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        174⤵
        Drops file in System32 directory
        
        PID:1156
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        175⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        176⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        177⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        178⤵
        
        PID:344
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        179⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        180⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        181⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        182⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        183⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        184⤵
        Drops file in System32 directory
        
        PID:616
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        185⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        186⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        187⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        188⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        189⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        190⤵
        Drops file in System32 directory
        
        PID:3032
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        191⤵
        
        PID:1300
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        192⤵
        Drops file in System32 directory
        
        PID:1092
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        193⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        194⤵
        Drops file in System32 directory
        
        PID:1056
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        195⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        196⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        197⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        198⤵
        Drops file in System32 directory
        
        PID:2008
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        199⤵
        
        PID:984
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        200⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        201⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        202⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        203⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        204⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        205⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        206⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        207⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        208⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        209⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        210⤵
        Drops file in System32 directory
        
        PID:2596
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        211⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        212⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        213⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        214⤵
        Drops file in System32 directory
        
        PID:2052
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        215⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        216⤵
        Drops file in System32 directory
        
        PID:320
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        217⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        218⤵
        
        PID:572
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        219⤵
        
        PID:580
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        220⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        221⤵
        
        PID:304
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        222⤵
        Drops file in System32 directory
        
        PID:1544
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        223⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        224⤵
        Drops file in System32 directory
        
        PID:1656
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        225⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        226⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        227⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        228⤵
        Drops file in System32 directory
        
        PID:2344
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        229⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        230⤵
        Drops file in System32 directory
        
        PID:1380
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        231⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        232⤵
        Drops file in System32 directory
        
        PID:2928
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        233⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        234⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        235⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        236⤵
        
        PID:664
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        237⤵
        
        PID:968
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        238⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        239⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        240⤵
        Drops file in System32 directory
        
        PID:3008
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        241⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        242⤵
        Drops file in System32 directory
        
        PID:2316
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        243⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        244⤵
        Drops file in System32 directory
        
        PID:1716
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        245⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        246⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        247⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        248⤵
        Drops file in System32 directory
        
        PID:2240
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        249⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        250⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        251⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        252⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        253⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        254⤵
        Drops file in System32 directory
        
        PID:2040
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        255⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        256⤵
        Drops file in System32 directory
        
        PID:2760
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        257⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        258⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        259⤵
        
        PID:712
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        260⤵
        Drops file in System32 directory
        
        PID:776
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        261⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        262⤵
        Drops file in System32 directory
        
        PID:2868
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        263⤵
        
        PID:580
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        264⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        265⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        266⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        267⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        268⤵
        Drops file in System32 directory
        
        PID:2000
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        269⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        270⤵
        Drops file in System32 directory
        
        PID:2544
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        271⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        272⤵
        Drops file in System32 directory
        
        PID:2768
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        273⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        274⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        275⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\mdm.exe
        
        C:\Windows\SysWOW64\mdm.exe
        276⤵
        Drops file in System32 directory
        
        PID:1336
        
        C:\Windows\SysWOW64\mdm.exe
        
        "C:\Windows\system32\mdm.exe"
        277⤵
        
        PID:408

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\mdm.exe

Filesize
22KB

MD5
3c2a0e83750ce5f730fc5d68bb22d93f

SHA1
525be3e7e672cea78e070f1480e3521da9694bdd

SHA256
78cb48d4f58ead0a1d6b9e20bccfd164c53a541f4476b3007b41087dea5f269b

SHA512
98c9ea640f0970902528be640d4ae0fcdde70a9dba5e47e63981be580cfbe47f3543c68cfd03d14b492f5dc35ce1b4c880357002b3f9b49dabb3143079d92549

Download Submit
memory/344-793-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/484-329-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/600-474-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/680-490-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/696-674-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/724-345-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/828-163-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/828-169-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/832-281-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/832-199-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/936-231-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1016-761-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1036-143-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1052-191-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1156-777-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1168-337-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1200-498-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1352-393-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1368-745-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1472-560-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1492-785-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1520-449-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1560-305-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1588-658-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1604-130-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1604-124-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1612-554-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1636-255-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1648-454-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1648-458-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1664-223-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1688-89-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1688-84-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1692-666-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1696-594-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1708-385-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1720-207-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1860-361-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1876-155-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1896-650-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1916-369-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1936-433-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1944-183-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1972-546-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/1980-409-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2004-239-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2108-401-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2128-642-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2140-415-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2148-626-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2204-441-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2252-115-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2320-679-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2320-683-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2336-688-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2336-692-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2360-261-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2368-71-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2368-76-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2380-578-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2444-769-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2452-377-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2464-700-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2524-482-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2588-64-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2588-58-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2592-514-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2608-522-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2620-321-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2628-530-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2636-215-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2656-610-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2676-737-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2680-289-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2688-280-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2696-313-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2700-268-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2700-272-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2736-48-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2736-43-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2752-720-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2772-714-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2784-602-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2812-538-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2828-506-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2840-297-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2844-618-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2876-570-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2880-99-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2884-586-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2888-353-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2896-247-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2908-28-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2908-34-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2920-708-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2924-634-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2952-425-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2968-466-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2984-753-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3044-2-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3044-5-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3044-6-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3044-10-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3044-0-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3044-8-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download