Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
06/12/2022, 19:00
Static task
static1
Behavioral task
behavioral1
Sample
f84a39d727048e2c86770cbacd7620ebaa903f4be2bb893f85d75b455fad5c5b.exe
Resource
win7-20221111-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
f84a39d727048e2c86770cbacd7620ebaa903f4be2bb893f85d75b455fad5c5b.exe
Resource
win10v2004-20220901-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
f84a39d727048e2c86770cbacd7620ebaa903f4be2bb893f85d75b455fad5c5b.exe
-
Size
35KB
-
MD5
1868436b4ca23e084d1fc46ad6a11120
-
SHA1
3facb5fcca1dc9eca365baa61a62152dd7597fd2
-
SHA256
f84a39d727048e2c86770cbacd7620ebaa903f4be2bb893f85d75b455fad5c5b
-
SHA512
48f4f55bc2bde671023a8589aea1ec4fcb10f65f2b21911f9db19ca6984e748fa1d30d2e958e35ba93261fb4db0475b138683dced588e5bfb53bb99d1ab38e1a
-
SSDEEP
768:0jNTRwRykWMd4mp+8lAMU5GXI6Qy0siFCvJ4V7wmdUm1a8kW:QN9KsMdRp+yAqBMFCvJgZP1a0
Score
8/10
Malware Config
Signatures
-
Executes dropped EXE 64 IoCs
pid Process 4844 mdmm.exe 792 mdmm.exe 628 mdmm.exe 1388 mdmm.exe 3004 mdmm.exe 3060 mdmm.exe 4628 mdmm.exe 4052 mdmm.exe 3864 mdmm.exe 116 mdmm.exe 3996 mdmm.exe 4100 mdmm.exe 1844 mdmm.exe 1748 mdmm.exe 4388 mdmm.exe 2208 mdmm.exe 984 mdmm.exe 2288 mdmm.exe 732 mdmm.exe 3708 mdmm.exe 4724 mdmm.exe 532 mdmm.exe 4496 mdmm.exe 924 mdmm.exe 3152 mdmm.exe 4696 mdmm.exe 432 mdmm.exe 3852 mdmm.exe 3032 mdmm.exe 2828 mdmm.exe 1908 mdmm.exe 4172 mdmm.exe 4364 mdmm.exe 3120 mdmm.exe 3364 mdmm.exe 5020 mdmm.exe 4156 mdmm.exe 4376 mdmm.exe 2260 mdmm.exe 788 mdmm.exe 2152 mdmm.exe 896 mdmm.exe 4328 mdmm.exe 4296 mdmm.exe 1916 mdmm.exe 1504 mdmm.exe 4700 mdmm.exe 5196 mdmm.exe 5244 mdmm.exe 5292 mdmm.exe 5340 mdmm.exe 5500 mdmm.exe 5572 mdmm.exe 5620 mdmm.exe 5672 mdmm.exe 5740 mdmm.exe 5812 mdmm.exe 5856 mdmm.exe 5900 mdmm.exe 5944 mdmm.exe 5988 mdmm.exe 6036 mdmm.exe 6084 mdmm.exe 6128 mdmm.exe -
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mdmm.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mdmm.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mdmm.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mdmm.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mdmm.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mdmm.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mdmm.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mdmm.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mdmm.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mdmm.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mdmm.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mdmm.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mdmm.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mdmm.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mdmm.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mdmm.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mdmm.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mdmm.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mdmm.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mdmm.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mdmm.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mdmm.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mdmm.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mdmm.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mdmm.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mdmm.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mdmm.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mdmm.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mdmm.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mdmm.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mdmm.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mdmm.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mdmm.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mdmm.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mdmm.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mdmm.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mdmm.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mdmm.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mdmm.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mdmm.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mdmm.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mdmm.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mdmm.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mdmm.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mdmm.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mdmm.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mdmm.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mdmm.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mdmm.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mdmm.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mdmm.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mdmm.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mdmm.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mdmm.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mdmm.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mdmm.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mdmm.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mdmm.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mdmm.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mdmm.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mdmm.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mdmm.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mdmm.exe Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation mdmm.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mdmm = "C:\\Windows\\system32\\mdmm.exe" mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mdmm = "C:\\Windows\\system32\\mdmm.exe" mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mdmm = "C:\\Windows\\system32\\mdmm.exe" mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mdmm = "C:\\Windows\\system32\\mdmm.exe" mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mdmm = "C:\\Windows\\system32\\mdmm.exe" mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mdmm = "C:\\Windows\\system32\\mdmm.exe" mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mdmm = "C:\\Windows\\system32\\mdmm.exe" mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mdmm = "C:\\Windows\\system32\\mdmm.exe" mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mdmm = "C:\\Windows\\system32\\mdmm.exe" mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mdmm = "C:\\Windows\\system32\\mdmm.exe" mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mdmm = "C:\\Windows\\system32\\mdmm.exe" mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mdmm = "C:\\Windows\\system32\\mdmm.exe" mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mdmm = "C:\\Windows\\system32\\mdmm.exe" mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mdmm = "C:\\Windows\\system32\\mdmm.exe" mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mdmm = "C:\\Windows\\system32\\mdmm.exe" mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run f84a39d727048e2c86770cbacd7620ebaa903f4be2bb893f85d75b455fad5c5b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mdmm = "C:\\Windows\\system32\\mdmm.exe" mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mdmm = "C:\\Windows\\system32\\mdmm.exe" mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mdmm = "C:\\Windows\\system32\\mdmm.exe" mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mdmm = "C:\\Windows\\system32\\mdmm.exe" mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mdmm = "C:\\Windows\\system32\\mdmm.exe" mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mdmm = "C:\\Windows\\system32\\mdmm.exe" mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mdmm = "C:\\Windows\\system32\\mdmm.exe" mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mdmm = "C:\\Windows\\system32\\mdmm.exe" mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mdmm = "C:\\Windows\\system32\\mdmm.exe" mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mdmm = "C:\\Windows\\system32\\mdmm.exe" mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mdmm = "C:\\Windows\\system32\\mdmm.exe" mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mdmm = "C:\\Windows\\system32\\mdmm.exe" mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mdmm = "C:\\Windows\\system32\\mdmm.exe" mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mdmm = "C:\\Windows\\system32\\mdmm.exe" mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mdmm = "C:\\Windows\\system32\\mdmm.exe" mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mdmm = "C:\\Windows\\system32\\mdmm.exe" mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mdmm = "C:\\Windows\\system32\\mdmm.exe" mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mdmm = "C:\\Windows\\system32\\mdmm.exe" mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mdmm = "C:\\Windows\\system32\\mdmm.exe" mdmm.exe -
Modifies WinLogon 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdmm\Unlock = "WLEvtUnlock" mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdmm\Logon = "WLEvtLogon" mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdmm\Logon = "WLEvtLogon" mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdmm\Logon = "WLEvtLogon" mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdmm\Logon = "WLEvtLogon" mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdmm mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdmm mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdmm\DllName = "mdmm.dll" mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdmm mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdmm\Logon = "WLEvtLogon" mdmm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdmm\Asynchronous = "0" mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdmm\Lock = "WLEvtLock" mdmm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdmm\Asynchronous = "0" mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdmm\Unlock = "WLEvtUnlock" mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdmm\Shutdown = "WLEvtShutdown" mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdmm\StopScreenSaver = "WLEvtStopScreenSaver" mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdmm\DllName = "mdmm.dll" mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdmm mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdmm\Lock = "WLEvtLock" mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdmm\Unlock = "WLEvtUnlock" mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdmm\Logon = "WLEvtLogon" mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdmm\Startup = "WLEvtStartup" mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdmm\Logon = "WLEvtLogon" mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdmm\Logoff = "WLEvtLogoff" mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdmm\Logon = "WLEvtLogon" mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdmm\StopScreenSaver = "WLEvtStopScreenSaver" mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdmm\DllName = "mdmm.dll" mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdmm\Startup = "WLEvtStartup" mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdmm\Startup = "WLEvtStartup" mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdmm\Logon = "WLEvtLogon" mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdmm\DllName = "mdmm.dll" mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdmm\Unlock = "WLEvtUnlock" mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdmm\StartScreenSaver = "WLEvtStartScreenSaver" mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdmm\DllName = "mdmm.dll" mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdmm\StopScreenSaver = "WLEvtStopScreenSaver" mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdmm\DllName = "mdmm.dll" mdmm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdmm\Impersonate = "0" mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdmm\Shutdown = "WLEvtShutdown" mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdmm\StartScreenSaver = "WLEvtStartScreenSaver" mdmm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdmm\Impersonate = "0" mdmm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdmm\Impersonate = "0" mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdmm\Shutdown = "WLEvtShutdown" mdmm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdmm\Asynchronous = "0" mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdmm\StopScreenSaver = "WLEvtStopScreenSaver" mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdmm\Shutdown = "WLEvtShutdown" mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdmm\Logon = "WLEvtLogon" mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdmm mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdmm\Logon = "WLEvtLogon" mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdmm\Startup = "WLEvtStartup" mdmm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdmm\Impersonate = "0" mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdmm\Logon = "WLEvtLogon" mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdmm mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdmm\Shutdown = "WLEvtShutdown" mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdmm\Lock = "WLEvtLock" mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdmm\Startup = "WLEvtStartup" mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdmm mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdmm\Lock = "WLEvtLock" mdmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdmm\StartScreenSaver = "WLEvtStartScreenSaver" mdmm.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\mdmm.exe mdmm.exe File created C:\Windows\SysWOW64\mdmm.exe mdmm.exe File created C:\Windows\SysWOW64\mdmm.exe mdmm.exe File created C:\Windows\SysWOW64\mdmm.exe mdmm.exe File created C:\Windows\SysWOW64\mdmm.exe mdmm.exe File created C:\Windows\SysWOW64\mdmm.exe mdmm.exe File created C:\Windows\SysWOW64\mdmm.exe mdmm.exe File created C:\Windows\SysWOW64\mdmm.exe mdmm.exe File created C:\Windows\SysWOW64\mdmm.exe mdmm.exe File created C:\Windows\SysWOW64\mdmm.exe mdmm.exe File created C:\Windows\SysWOW64\mdmm.exe mdmm.exe File created C:\Windows\SysWOW64\mdmm.exe mdmm.exe File created C:\Windows\SysWOW64\mdmm.exe mdmm.exe File created C:\Windows\SysWOW64\mdmm.exe mdmm.exe File created C:\Windows\SysWOW64\mdmm.exe mdmm.exe File created C:\Windows\SysWOW64\mdmm.exe mdmm.exe File created C:\Windows\SysWOW64\mdmm.exe mdmm.exe File created C:\Windows\SysWOW64\mdmm.exe mdmm.exe File created C:\Windows\SysWOW64\mdmm.exe mdmm.exe File created C:\Windows\SysWOW64\mdmm.exe mdmm.exe File created C:\Windows\SysWOW64\mdmm.exe mdmm.exe File created C:\Windows\SysWOW64\mdmm.exe mdmm.exe File created C:\Windows\SysWOW64\mdmm.exe mdmm.exe File created C:\Windows\SysWOW64\mdmm.exe mdmm.exe File created C:\Windows\SysWOW64\mdmm.exe mdmm.exe File created C:\Windows\SysWOW64\mdmm.exe mdmm.exe File created C:\Windows\SysWOW64\mdmm.exe mdmm.exe File created C:\Windows\SysWOW64\mdmm.exe mdmm.exe File created C:\Windows\SysWOW64\mdmm.exe mdmm.exe File created C:\Windows\SysWOW64\mdmm.exe mdmm.exe File created C:\Windows\SysWOW64\mdmm.exe mdmm.exe File created C:\Windows\SysWOW64\mdmm.exe mdmm.exe File created C:\Windows\SysWOW64\mdmm.exe mdmm.exe File created C:\Windows\SysWOW64\mdmm.exe mdmm.exe File created C:\Windows\SysWOW64\mdmm.exe mdmm.exe File created C:\Windows\SysWOW64\mdmm.exe mdmm.exe File created C:\Windows\SysWOW64\mdmm.exe mdmm.exe File created C:\Windows\SysWOW64\mdmm.exe mdmm.exe File created C:\Windows\SysWOW64\mdmm.exe mdmm.exe File created C:\Windows\SysWOW64\mdmm.exe mdmm.exe File created C:\Windows\SysWOW64\mdmm.exe mdmm.exe File created C:\Windows\SysWOW64\mdmm.exe mdmm.exe File created C:\Windows\SysWOW64\mdmm.exe mdmm.exe File created C:\Windows\SysWOW64\mdmm.exe mdmm.exe File created C:\Windows\SysWOW64\mdmm.exe mdmm.exe File created C:\Windows\SysWOW64\mdmm.exe mdmm.exe File created C:\Windows\SysWOW64\mdmm.exe mdmm.exe File created C:\Windows\SysWOW64\mdmm.exe mdmm.exe File created C:\Windows\SysWOW64\mdmm.exe mdmm.exe File created C:\Windows\SysWOW64\mdmm.exe mdmm.exe File created C:\Windows\SysWOW64\mdmm.exe mdmm.exe File created C:\Windows\SysWOW64\mdmm.exe mdmm.exe File created C:\Windows\SysWOW64\mdmm.exe mdmm.exe File created C:\Windows\SysWOW64\mdmm.exe mdmm.exe File created C:\Windows\SysWOW64\mdmm.exe mdmm.exe File created C:\Windows\SysWOW64\mdmm.exe mdmm.exe File created C:\Windows\SysWOW64\mdmm.exe mdmm.exe File created C:\Windows\SysWOW64\mdmm.exe mdmm.exe File created C:\Windows\SysWOW64\mdmm.exe mdmm.exe File created C:\Windows\SysWOW64\mdmm.exe mdmm.exe File created C:\Windows\SysWOW64\mdmm.exe mdmm.exe File opened for modification C:\Windows\SysWOW64\mdmm.dll f84a39d727048e2c86770cbacd7620ebaa903f4be2bb893f85d75b455fad5c5b.exe File created C:\Windows\SysWOW64\mdmm.exe mdmm.exe File created C:\Windows\SysWOW64\mdmm.exe mdmm.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64 f84a39d727048e2c86770cbacd7620ebaa903f4be2bb893f85d75b455fad5c5b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ f84a39d727048e2c86770cbacd7620ebaa903f4be2bb893f85d75b455fad5c5b.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mdmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ mdmm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1560 wrote to memory of 4844 1560 f84a39d727048e2c86770cbacd7620ebaa903f4be2bb893f85d75b455fad5c5b.exe 81 PID 1560 wrote to memory of 4844 1560 f84a39d727048e2c86770cbacd7620ebaa903f4be2bb893f85d75b455fad5c5b.exe 81 PID 1560 wrote to memory of 4844 1560 f84a39d727048e2c86770cbacd7620ebaa903f4be2bb893f85d75b455fad5c5b.exe 81 PID 4844 wrote to memory of 792 4844 mdmm.exe 82 PID 4844 wrote to memory of 792 4844 mdmm.exe 82 PID 4844 wrote to memory of 792 4844 mdmm.exe 82 PID 792 wrote to memory of 628 792 mdmm.exe 83 PID 792 wrote to memory of 628 792 mdmm.exe 83 PID 792 wrote to memory of 628 792 mdmm.exe 83 PID 628 wrote to memory of 1388 628 mdmm.exe 84 PID 628 wrote to memory of 1388 628 mdmm.exe 84 PID 628 wrote to memory of 1388 628 mdmm.exe 84 PID 1388 wrote to memory of 3004 1388 mdmm.exe 85 PID 1388 wrote to memory of 3004 1388 mdmm.exe 85 PID 1388 wrote to memory of 3004 1388 mdmm.exe 85 PID 3004 wrote to memory of 3060 3004 mdmm.exe 86 PID 3004 wrote to memory of 3060 3004 mdmm.exe 86 PID 3004 wrote to memory of 3060 3004 mdmm.exe 86 PID 3060 wrote to memory of 4628 3060 mdmm.exe 87 PID 3060 wrote to memory of 4628 3060 mdmm.exe 87 PID 3060 wrote to memory of 4628 3060 mdmm.exe 87 PID 4628 wrote to memory of 4052 4628 mdmm.exe 88 PID 4628 wrote to memory of 4052 4628 mdmm.exe 88 PID 4628 wrote to memory of 4052 4628 mdmm.exe 88 PID 4052 wrote to memory of 3864 4052 mdmm.exe 89 PID 4052 wrote to memory of 3864 4052 mdmm.exe 89 PID 4052 wrote to memory of 3864 4052 mdmm.exe 89 PID 3864 wrote to memory of 116 3864 mdmm.exe 90 PID 3864 wrote to memory of 116 3864 mdmm.exe 90 PID 3864 wrote to memory of 116 3864 mdmm.exe 90 PID 116 wrote to memory of 3996 116 mdmm.exe 91 PID 116 wrote to memory of 3996 116 mdmm.exe 91 PID 116 wrote to memory of 3996 116 mdmm.exe 91 PID 3996 wrote to memory of 4100 3996 mdmm.exe 92 PID 3996 wrote to memory of 4100 3996 mdmm.exe 92 PID 3996 wrote to memory of 4100 3996 mdmm.exe 92 PID 4100 wrote to memory of 1844 4100 mdmm.exe 93 PID 4100 wrote to memory of 1844 4100 mdmm.exe 93 PID 4100 wrote to memory of 1844 4100 mdmm.exe 93 PID 1844 wrote to memory of 1748 1844 mdmm.exe 94 PID 1844 wrote to memory of 1748 1844 mdmm.exe 94 PID 1844 wrote to memory of 1748 1844 mdmm.exe 94 PID 1748 wrote to memory of 4388 1748 mdmm.exe 95 PID 1748 wrote to memory of 4388 1748 mdmm.exe 95 PID 1748 wrote to memory of 4388 1748 mdmm.exe 95 PID 4388 wrote to memory of 2208 4388 mdmm.exe 96 PID 4388 wrote to memory of 2208 4388 mdmm.exe 96 PID 4388 wrote to memory of 2208 4388 mdmm.exe 96 PID 2208 wrote to memory of 984 2208 mdmm.exe 97 PID 2208 wrote to memory of 984 2208 mdmm.exe 97 PID 2208 wrote to memory of 984 2208 mdmm.exe 97 PID 984 wrote to memory of 2288 984 mdmm.exe 98 PID 984 wrote to memory of 2288 984 mdmm.exe 98 PID 984 wrote to memory of 2288 984 mdmm.exe 98 PID 2288 wrote to memory of 732 2288 mdmm.exe 99 PID 2288 wrote to memory of 732 2288 mdmm.exe 99 PID 2288 wrote to memory of 732 2288 mdmm.exe 99 PID 732 wrote to memory of 3708 732 mdmm.exe 100 PID 732 wrote to memory of 3708 732 mdmm.exe 100 PID 732 wrote to memory of 3708 732 mdmm.exe 100 PID 3708 wrote to memory of 4724 3708 mdmm.exe 101 PID 3708 wrote to memory of 4724 3708 mdmm.exe 101 PID 3708 wrote to memory of 4724 3708 mdmm.exe 101 PID 4724 wrote to memory of 532 4724 mdmm.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\f84a39d727048e2c86770cbacd7620ebaa903f4be2bb893f85d75b455fad5c5b.exe"C:\Users\Admin\AppData\Local\Temp\f84a39d727048e2c86770cbacd7620ebaa903f4be2bb893f85d75b455fad5c5b.exe"1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"5⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"8⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"9⤵
- Executes dropped EXE
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"11⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"12⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies WinLogon
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"13⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4100 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"17⤵
- Executes dropped EXE
- Modifies WinLogon
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"18⤵
- Executes dropped EXE
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:732 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"21⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"22⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"23⤵
- Executes dropped EXE
- Modifies WinLogon
- Modifies registry class
PID:532 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"24⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
PID:4496 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"25⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
PID:924 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"26⤵
- Executes dropped EXE
- Modifies WinLogon
- Drops file in System32 directory
PID:3152 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"27⤵
- Executes dropped EXE
- Checks computer location settings
PID:4696 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"28⤵
- Executes dropped EXE
- Adds Run key to start application
PID:432 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"29⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies WinLogon
- Drops file in System32 directory
PID:3852 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"30⤵
- Executes dropped EXE
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
PID:3032 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"31⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:2828 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"32⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"33⤵
- Executes dropped EXE
- Checks computer location settings
PID:4172 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"34⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
PID:4364 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"35⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3120 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"36⤵
- Executes dropped EXE
- Checks computer location settings
PID:3364 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"37⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5020 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"38⤵
- Executes dropped EXE
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
PID:4156 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"39⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
PID:4376 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2260 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"41⤵
- Executes dropped EXE
PID:788 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"42⤵
- Executes dropped EXE
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
PID:2152 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"43⤵
- Executes dropped EXE
- Checks computer location settings
PID:896 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"44⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
PID:4328 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"45⤵
- Executes dropped EXE
- Modifies registry class
PID:4296 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"46⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
PID:1916 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"47⤵
- Executes dropped EXE
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
PID:1504 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"48⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
PID:4700 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"49⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Modifies registry class
PID:5196 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5244 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"51⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
PID:5292 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"52⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies WinLogon
PID:5340 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"53⤵
- Executes dropped EXE
- Modifies WinLogon
- Modifies registry class
PID:5500 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"54⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:5572 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"55⤵
- Executes dropped EXE
- Modifies WinLogon
- Drops file in System32 directory
PID:5620 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"56⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5672 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"57⤵
- Executes dropped EXE
PID:5740 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"58⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5812 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"59⤵
- Executes dropped EXE
PID:5856 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"60⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5900 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"61⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5944 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"62⤵
- Executes dropped EXE
- Modifies registry class
PID:5988 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"63⤵
- Executes dropped EXE
- Checks computer location settings
PID:6036 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"64⤵
- Executes dropped EXE
PID:6084 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"65⤵
- Executes dropped EXE
PID:6128 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"66⤵
- Checks computer location settings
- Modifies WinLogon
- Drops file in System32 directory
PID:332 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"67⤵
- Adds Run key to start application
- Modifies WinLogon
PID:5208 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"68⤵
- Checks computer location settings
PID:5404 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"69⤵
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
PID:5668 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"70⤵
- Adds Run key to start application
PID:5680 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"71⤵
- Adds Run key to start application
- Modifies WinLogon
- Modifies registry class
PID:728 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"72⤵PID:4276
-
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"73⤵
- Checks computer location settings
- Drops file in System32 directory
PID:4440 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"74⤵
- Modifies registry class
PID:6000 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"75⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
- Modifies registry class
PID:5996 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"76⤵PID:2252
-
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"77⤵
- Adds Run key to start application
PID:1592 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"78⤵
- Checks computer location settings
PID:4320 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"79⤵
- Modifies WinLogon
PID:5632 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"80⤵
- Checks computer location settings
- Drops file in System32 directory
PID:2408 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"81⤵
- Modifies registry class
PID:6156 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"82⤵
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
PID:6200 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"83⤵PID:6240
-
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"84⤵
- Checks computer location settings
PID:6280 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"85⤵
- Modifies WinLogon
PID:6320 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"86⤵PID:6372
-
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"87⤵
- Adds Run key to start application
- Modifies registry class
PID:6416 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"88⤵
- Modifies registry class
PID:6460 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"89⤵PID:6500
-
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"90⤵PID:6540
-
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"91⤵
- Modifies registry class
PID:6584 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"92⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
PID:6624 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"93⤵
- Adds Run key to start application
- Modifies WinLogon
PID:6664 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"94⤵
- Modifies WinLogon
PID:6704 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"95⤵
- Modifies WinLogon
- Drops file in System32 directory
PID:6744 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"96⤵
- Checks computer location settings
- Adds Run key to start application
PID:6784 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"97⤵
- Drops file in System32 directory
PID:6824 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"98⤵
- Checks computer location settings
PID:6864 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"99⤵
- Drops file in System32 directory
PID:6904 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"100⤵
- Adds Run key to start application
- Modifies WinLogon
- Drops file in System32 directory
PID:6944 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"101⤵
- Drops file in System32 directory
- Modifies registry class
PID:6984 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"102⤵PID:7024
-
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"103⤵PID:7064
-
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"104⤵PID:7104
-
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"105⤵
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
PID:7144 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"106⤵PID:4560
-
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"107⤵
- Checks computer location settings
- Drops file in System32 directory
PID:6368 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"108⤵
- Modifies WinLogon
- Drops file in System32 directory
PID:2460 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"109⤵PID:5336
-
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"110⤵
- Checks computer location settings
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"111⤵
- Checks computer location settings
PID:5784 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"112⤵
- Modifies registry class
PID:4964 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"113⤵
- Checks computer location settings
- Modifies registry class
PID:1768 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"114⤵
- Modifies registry class
PID:5036 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"115⤵
- Modifies WinLogon
- Modifies registry class
PID:4732 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"116⤵
- Checks computer location settings
- Modifies registry class
PID:4992 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"117⤵
- Checks computer location settings
PID:4180 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"118⤵
- Adds Run key to start application
- Modifies WinLogon
PID:5928 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"119⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
PID:7176 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"120⤵
- Modifies WinLogon
PID:7216 -
C:\Windows\SysWOW64\mdmm.exe"C:\Windows\system32\mdmm.exe"121⤵
- Adds Run key to start application
PID:7256
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-