darkcomet | 064aa3e4c53ea3aff1023f9e7cb5c42acdc703526d63d6d69ad8cd46747bc077

Analysis

max time kernel
31s
max time network
33s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
24/02/2025, 11:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lmaoo.vmp.exe
Size

5.4MB
MD5

22dfe2e162a9e17a9f4bf54816515f48
SHA1

036b06247202de051f074268c594ae6f7112a748
SHA256

064aa3e4c53ea3aff1023f9e7cb5c42acdc703526d63d6d69ad8cd46747bc077
SHA512

4ed84a603988353228df6443a2df51275d790cbc52120110d796ee9b19dad9d707077749b24483ffd60dc47e5da040b533737fc9ed0047084989924db52db359
SSDEEP

98304:ZdMKOcZk67edPxSB2veWYiNqksUCDqeJrXi95/go8v3gFbEPOwOcxLq:4KHZsd5SoGWmECeeJrsSoA3TqcxL

Score

10^/10

darkcomet discovery persistence rat trojan vmprotect

Malware Config

Extracted

Family

darkcomet

Attributes

gencode
install
false
offline_keylogger
false
persistence
false

rc4.plain

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 33 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe"	IMDCSC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe"	IMDCSC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe"	IMDCSC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe"	IMDCSC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe"	IMDCSC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe"	IMDCSC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe"	IMDCSC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe"	IMDCSC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe"	IMDCSC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe"	IMDCSC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe"	IMDCSC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe"	IMDCSC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe"	IMDCSC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe"	IMDCSC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe"	IMDCSC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe"	IMDCSC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe"	IMDCSC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe"	IMDCSC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe"	IMDCSC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe"	IMDCSC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe"	IMDCSC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe"	IMDCSC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe"	IMDCSC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe"	IMDCSC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe"	IMDCSC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe"	IMDCSC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe"	IMDCSC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe"	IMDCSC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe"	lmaoo.vmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe"	IMDCSC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe"	IMDCSC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe"	IMDCSC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe,C:\\Windows\\system32\\7560\\IMDCSC.exe"	IMDCSC.exe

Checks computer location settings 2 TTPs 33 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	IMDCSC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	IMDCSC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	IMDCSC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	IMDCSC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	IMDCSC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	IMDCSC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	IMDCSC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	IMDCSC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	IMDCSC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	IMDCSC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	IMDCSC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	IMDCSC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	IMDCSC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	IMDCSC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	IMDCSC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	IMDCSC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	IMDCSC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	IMDCSC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	IMDCSC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	IMDCSC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	IMDCSC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	IMDCSC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	IMDCSC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	IMDCSC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	IMDCSC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	lmaoo.vmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	IMDCSC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	IMDCSC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	IMDCSC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	IMDCSC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	IMDCSC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	IMDCSC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation	IMDCSC.exe

Executes dropped EXE 32 IoCs

pid	Process
4712	IMDCSC.exe
3808	IMDCSC.exe
1180	IMDCSC.exe
1108	IMDCSC.exe
2260	IMDCSC.exe
1048	IMDCSC.exe
3428	IMDCSC.exe
3016	IMDCSC.exe
2620	IMDCSC.exe
4768	IMDCSC.exe
4464	IMDCSC.exe
4408	IMDCSC.exe
4536	IMDCSC.exe
2600	IMDCSC.exe
4512	IMDCSC.exe
4648	IMDCSC.exe
4832	IMDCSC.exe
5020	IMDCSC.exe
4932	IMDCSC.exe
1000	IMDCSC.exe
1012	IMDCSC.exe
3060	IMDCSC.exe
2736	IMDCSC.exe
3840	IMDCSC.exe
2544	IMDCSC.exe
2724	IMDCSC.exe
1408	IMDCSC.exe
2064	IMDCSC.exe
1680	IMDCSC.exe
4876	IMDCSC.exe
1596	IMDCSC.exe
2752	IMDCSC.exe

VMProtect packed file 14 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/4960-1-0x0000000000400000-0x0000000000D49000-memory.dmp	vmprotect
behavioral1/memory/4960-10-0x0000000000400000-0x0000000000D49000-memory.dmp	vmprotect
behavioral1/memory/4960-12-0x0000000000400000-0x0000000000D49000-memory.dmp	vmprotect
behavioral1/memory/4960-13-0x0000000000400000-0x0000000000D49000-memory.dmp	vmprotect
behavioral1/files/0x000500000001db51-18.dat	vmprotect
behavioral1/memory/4960-36-0x0000000000400000-0x0000000000D49000-memory.dmp	vmprotect
behavioral1/memory/4712-34-0x0000000000400000-0x0000000000D49000-memory.dmp	vmprotect
behavioral1/memory/4712-37-0x0000000000400000-0x0000000000D49000-memory.dmp	vmprotect
behavioral1/memory/4712-38-0x0000000000400000-0x0000000000D49000-memory.dmp	vmprotect
behavioral1/memory/3808-48-0x0000000000400000-0x0000000000D49000-memory.dmp	vmprotect
behavioral1/memory/4712-50-0x0000000000400000-0x0000000000D49000-memory.dmp	vmprotect
behavioral1/memory/1180-60-0x0000000000400000-0x0000000000D49000-memory.dmp	vmprotect
behavioral1/memory/1108-71-0x0000000000400000-0x0000000000D49000-memory.dmp	vmprotect
behavioral1/memory/2260-82-0x0000000000400000-0x0000000000D49000-memory.dmp	vmprotect

Adds Run key to start application 2 TTPs 33 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test = "C:\\Windows\\system32\\7560\\IMDCSC.exe"	IMDCSC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test = "C:\\Windows\\system32\\7560\\IMDCSC.exe"	IMDCSC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test = "C:\\Windows\\system32\\7560\\IMDCSC.exe"	IMDCSC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test = "C:\\Windows\\system32\\7560\\IMDCSC.exe"	IMDCSC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test = "C:\\Windows\\system32\\7560\\IMDCSC.exe"	IMDCSC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test = "C:\\Windows\\system32\\7560\\IMDCSC.exe"	IMDCSC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test = "C:\\Windows\\system32\\7560\\IMDCSC.exe"	IMDCSC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test = "C:\\Windows\\system32\\7560\\IMDCSC.exe"	IMDCSC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test = "C:\\Windows\\system32\\7560\\IMDCSC.exe"	IMDCSC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test = "C:\\Windows\\system32\\7560\\IMDCSC.exe"	IMDCSC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test = "C:\\Windows\\system32\\7560\\IMDCSC.exe"	IMDCSC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test = "C:\\Windows\\system32\\7560\\IMDCSC.exe"	IMDCSC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test = "C:\\Windows\\system32\\7560\\IMDCSC.exe"	IMDCSC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test = "C:\\Windows\\system32\\7560\\IMDCSC.exe"	IMDCSC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test = "C:\\Windows\\system32\\7560\\IMDCSC.exe"	IMDCSC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test = "C:\\Windows\\system32\\7560\\IMDCSC.exe"	IMDCSC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test = "C:\\Windows\\system32\\7560\\IMDCSC.exe"	IMDCSC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test = "C:\\Windows\\system32\\7560\\IMDCSC.exe"	IMDCSC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test = "C:\\Windows\\system32\\7560\\IMDCSC.exe"	IMDCSC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test = "C:\\Windows\\system32\\7560\\IMDCSC.exe"	IMDCSC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test = "C:\\Windows\\system32\\7560\\IMDCSC.exe"	IMDCSC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test = "C:\\Windows\\system32\\7560\\IMDCSC.exe"	IMDCSC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test = "C:\\Windows\\system32\\7560\\IMDCSC.exe"	IMDCSC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test = "C:\\Windows\\system32\\7560\\IMDCSC.exe"	IMDCSC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test = "C:\\Windows\\system32\\7560\\IMDCSC.exe"	IMDCSC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test = "C:\\Windows\\system32\\7560\\IMDCSC.exe"	lmaoo.vmp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test = "C:\\Windows\\system32\\7560\\IMDCSC.exe"	IMDCSC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test = "C:\\Windows\\system32\\7560\\IMDCSC.exe"	IMDCSC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test = "C:\\Windows\\system32\\7560\\IMDCSC.exe"	IMDCSC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test = "C:\\Windows\\system32\\7560\\IMDCSC.exe"	IMDCSC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test = "C:\\Windows\\system32\\7560\\IMDCSC.exe"	IMDCSC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test = "C:\\Windows\\system32\\7560\\IMDCSC.exe"	IMDCSC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\test = "C:\\Windows\\system32\\7560\\IMDCSC.exe"	IMDCSC.exe

Drops file in System32 directory 34 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\7560\IMDCSC.exe	IMDCSC.exe
File created	C:\Windows\SysWOW64\7560\IMDCSC.exe	IMDCSC.exe
File created	C:\Windows\SysWOW64\7560\IMDCSC.exe	IMDCSC.exe
File created	C:\Windows\SysWOW64\7560\IMDCSC.exe	IMDCSC.exe
File created	C:\Windows\SysWOW64\7560\IMDCSC.exe	IMDCSC.exe
File created	C:\Windows\SysWOW64\7560\IMDCSC.exe	IMDCSC.exe
File opened for modification	C:\Windows\SysWOW64\7560\IMDCSC.exe	lmaoo.vmp.exe
File created	C:\Windows\SysWOW64\7560\IMDCSC.exe	IMDCSC.exe
File created	C:\Windows\SysWOW64\7560\IMDCSC.exe	IMDCSC.exe
File created	C:\Windows\SysWOW64\7560\IMDCSC.exe	IMDCSC.exe
File created	C:\Windows\SysWOW64\7560\IMDCSC.exe	IMDCSC.exe
File created	C:\Windows\SysWOW64\7560\IMDCSC.exe	IMDCSC.exe
File created	C:\Windows\SysWOW64\7560\IMDCSC.exe	IMDCSC.exe
File created	C:\Windows\SysWOW64\7560\IMDCSC.exe	IMDCSC.exe
File created	C:\Windows\SysWOW64\7560\IMDCSC.exe	IMDCSC.exe
File created	C:\Windows\SysWOW64\7560\IMDCSC.exe	IMDCSC.exe
File created	C:\Windows\SysWOW64\7560\IMDCSC.exe	IMDCSC.exe
File created	C:\Windows\SysWOW64\7560\IMDCSC.exe	IMDCSC.exe
File created	C:\Windows\SysWOW64\7560\IMDCSC.exe	IMDCSC.exe
File created	C:\Windows\SysWOW64\7560\IMDCSC.exe	IMDCSC.exe
File created	C:\Windows\SysWOW64\7560\IMDCSC.exe	IMDCSC.exe
File created	C:\Windows\SysWOW64\7560\IMDCSC.exe	IMDCSC.exe
File created	C:\Windows\SysWOW64\7560\IMDCSC.exe	IMDCSC.exe
File created	C:\Windows\SysWOW64\7560\IMDCSC.exe	IMDCSC.exe
File created	C:\Windows\SysWOW64\7560\IMDCSC.exe	IMDCSC.exe
File created	C:\Windows\SysWOW64\7560\IMDCSC.exe	IMDCSC.exe
File created	C:\Windows\SysWOW64\7560\IMDCSC.exe	IMDCSC.exe
File created	C:\Windows\SysWOW64\7560\IMDCSC.exe	IMDCSC.exe
File created	C:\Windows\SysWOW64\7560\IMDCSC.exe	IMDCSC.exe
File created	C:\Windows\SysWOW64\7560\IMDCSC.exe	IMDCSC.exe
File created	C:\Windows\SysWOW64\7560\IMDCSC.exe	IMDCSC.exe
File created	C:\Windows\SysWOW64\7560\IMDCSC.exe	IMDCSC.exe
File created	C:\Windows\SysWOW64\7560\IMDCSC.exe	lmaoo.vmp.exe
File created	C:\Windows\SysWOW64\7560\IMDCSC.exe	IMDCSC.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 33 IoCs

pid	Process
4960	lmaoo.vmp.exe
4712	IMDCSC.exe
3808	IMDCSC.exe
1180	IMDCSC.exe
1108	IMDCSC.exe
2260	IMDCSC.exe
1048	IMDCSC.exe
3428	IMDCSC.exe
3016	IMDCSC.exe
2620	IMDCSC.exe
4768	IMDCSC.exe
4464	IMDCSC.exe
4408	IMDCSC.exe
4536	IMDCSC.exe
2600	IMDCSC.exe
4512	IMDCSC.exe
4648	IMDCSC.exe
4832	IMDCSC.exe
5020	IMDCSC.exe
4932	IMDCSC.exe
1000	IMDCSC.exe
1012	IMDCSC.exe
3060	IMDCSC.exe
2736	IMDCSC.exe
3840	IMDCSC.exe
2544	IMDCSC.exe
2724	IMDCSC.exe
1408	IMDCSC.exe
2064	IMDCSC.exe
1680	IMDCSC.exe
4876	IMDCSC.exe
1596	IMDCSC.exe
2752	IMDCSC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMDCSC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMDCSC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMDCSC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lmaoo.vmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMDCSC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMDCSC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMDCSC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMDCSC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMDCSC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMDCSC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMDCSC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMDCSC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMDCSC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMDCSC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMDCSC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMDCSC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMDCSC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMDCSC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMDCSC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMDCSC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMDCSC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMDCSC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMDCSC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMDCSC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMDCSC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMDCSC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMDCSC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMDCSC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMDCSC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMDCSC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMDCSC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMDCSC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IMDCSC.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4960	lmaoo.vmp.exe
4960	lmaoo.vmp.exe
4960	lmaoo.vmp.exe
4960	lmaoo.vmp.exe
4712	IMDCSC.exe
4712	IMDCSC.exe
4712	IMDCSC.exe
4712	IMDCSC.exe
3808	IMDCSC.exe
3808	IMDCSC.exe
3808	IMDCSC.exe
3808	IMDCSC.exe
1180	IMDCSC.exe
1180	IMDCSC.exe
1180	IMDCSC.exe
1180	IMDCSC.exe
1108	IMDCSC.exe
1108	IMDCSC.exe
1108	IMDCSC.exe
1108	IMDCSC.exe
2260	IMDCSC.exe
2260	IMDCSC.exe
2260	IMDCSC.exe
2260	IMDCSC.exe
1048	IMDCSC.exe
1048	IMDCSC.exe
1048	IMDCSC.exe
1048	IMDCSC.exe
3428	IMDCSC.exe
3428	IMDCSC.exe
3428	IMDCSC.exe
3428	IMDCSC.exe
3016	IMDCSC.exe
3016	IMDCSC.exe
3016	IMDCSC.exe
3016	IMDCSC.exe
2620	IMDCSC.exe
2620	IMDCSC.exe
2620	IMDCSC.exe
2620	IMDCSC.exe
4768	IMDCSC.exe
4768	IMDCSC.exe
4768	IMDCSC.exe
4768	IMDCSC.exe
4464	IMDCSC.exe
4464	IMDCSC.exe
4464	IMDCSC.exe
4464	IMDCSC.exe
4408	IMDCSC.exe
4408	IMDCSC.exe
4408	IMDCSC.exe
4408	IMDCSC.exe
4536	IMDCSC.exe
4536	IMDCSC.exe
4536	IMDCSC.exe
4536	IMDCSC.exe
2600	IMDCSC.exe
2600	IMDCSC.exe
2600	IMDCSC.exe
2600	IMDCSC.exe
4512	IMDCSC.exe
4512	IMDCSC.exe
4512	IMDCSC.exe
4512	IMDCSC.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4960	lmaoo.vmp.exe
Token: SeSecurityPrivilege	4960	lmaoo.vmp.exe
Token: SeTakeOwnershipPrivilege	4960	lmaoo.vmp.exe
Token: SeLoadDriverPrivilege	4960	lmaoo.vmp.exe
Token: SeSystemProfilePrivilege	4960	lmaoo.vmp.exe
Token: SeSystemtimePrivilege	4960	lmaoo.vmp.exe
Token: SeProfSingleProcessPrivilege	4960	lmaoo.vmp.exe
Token: SeIncBasePriorityPrivilege	4960	lmaoo.vmp.exe
Token: SeCreatePagefilePrivilege	4960	lmaoo.vmp.exe
Token: SeBackupPrivilege	4960	lmaoo.vmp.exe
Token: SeRestorePrivilege	4960	lmaoo.vmp.exe
Token: SeShutdownPrivilege	4960	lmaoo.vmp.exe
Token: SeDebugPrivilege	4960	lmaoo.vmp.exe
Token: SeSystemEnvironmentPrivilege	4960	lmaoo.vmp.exe
Token: SeChangeNotifyPrivilege	4960	lmaoo.vmp.exe
Token: SeRemoteShutdownPrivilege	4960	lmaoo.vmp.exe
Token: SeUndockPrivilege	4960	lmaoo.vmp.exe
Token: SeManageVolumePrivilege	4960	lmaoo.vmp.exe
Token: SeImpersonatePrivilege	4960	lmaoo.vmp.exe
Token: SeCreateGlobalPrivilege	4960	lmaoo.vmp.exe
Token: 33	4960	lmaoo.vmp.exe
Token: 34	4960	lmaoo.vmp.exe
Token: 35	4960	lmaoo.vmp.exe
Token: 36	4960	lmaoo.vmp.exe
Token: SeIncreaseQuotaPrivilege	4712	IMDCSC.exe
Token: SeSecurityPrivilege	4712	IMDCSC.exe
Token: SeTakeOwnershipPrivilege	4712	IMDCSC.exe
Token: SeLoadDriverPrivilege	4712	IMDCSC.exe
Token: SeSystemProfilePrivilege	4712	IMDCSC.exe
Token: SeSystemtimePrivilege	4712	IMDCSC.exe
Token: SeProfSingleProcessPrivilege	4712	IMDCSC.exe
Token: SeIncBasePriorityPrivilege	4712	IMDCSC.exe
Token: SeCreatePagefilePrivilege	4712	IMDCSC.exe
Token: SeBackupPrivilege	4712	IMDCSC.exe
Token: SeRestorePrivilege	4712	IMDCSC.exe
Token: SeShutdownPrivilege	4712	IMDCSC.exe
Token: SeDebugPrivilege	4712	IMDCSC.exe
Token: SeSystemEnvironmentPrivilege	4712	IMDCSC.exe
Token: SeChangeNotifyPrivilege	4712	IMDCSC.exe
Token: SeRemoteShutdownPrivilege	4712	IMDCSC.exe
Token: SeUndockPrivilege	4712	IMDCSC.exe
Token: SeManageVolumePrivilege	4712	IMDCSC.exe
Token: SeImpersonatePrivilege	4712	IMDCSC.exe
Token: SeCreateGlobalPrivilege	4712	IMDCSC.exe
Token: 33	4712	IMDCSC.exe
Token: 34	4712	IMDCSC.exe
Token: 35	4712	IMDCSC.exe
Token: 36	4712	IMDCSC.exe
Token: SeIncreaseQuotaPrivilege	3808	IMDCSC.exe
Token: SeSecurityPrivilege	3808	IMDCSC.exe
Token: SeTakeOwnershipPrivilege	3808	IMDCSC.exe
Token: SeLoadDriverPrivilege	3808	IMDCSC.exe
Token: SeSystemProfilePrivilege	3808	IMDCSC.exe
Token: SeSystemtimePrivilege	3808	IMDCSC.exe
Token: SeProfSingleProcessPrivilege	3808	IMDCSC.exe
Token: SeIncBasePriorityPrivilege	3808	IMDCSC.exe
Token: SeCreatePagefilePrivilege	3808	IMDCSC.exe
Token: SeBackupPrivilege	3808	IMDCSC.exe
Token: SeRestorePrivilege	3808	IMDCSC.exe
Token: SeShutdownPrivilege	3808	IMDCSC.exe
Token: SeDebugPrivilege	3808	IMDCSC.exe
Token: SeSystemEnvironmentPrivilege	3808	IMDCSC.exe
Token: SeChangeNotifyPrivilege	3808	IMDCSC.exe
Token: SeRemoteShutdownPrivilege	3808	IMDCSC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4960 wrote to memory of 4712	4960	lmaoo.vmp.exe	89
PID 4960 wrote to memory of 4712	4960	lmaoo.vmp.exe	89
PID 4960 wrote to memory of 4712	4960	lmaoo.vmp.exe	89
PID 4712 wrote to memory of 3808	4712	IMDCSC.exe	90
PID 4712 wrote to memory of 3808	4712	IMDCSC.exe	90
PID 4712 wrote to memory of 3808	4712	IMDCSC.exe	90
PID 3808 wrote to memory of 1180	3808	IMDCSC.exe	91
PID 3808 wrote to memory of 1180	3808	IMDCSC.exe	91
PID 3808 wrote to memory of 1180	3808	IMDCSC.exe	91
PID 1180 wrote to memory of 1108	1180	IMDCSC.exe	93
PID 1180 wrote to memory of 1108	1180	IMDCSC.exe	93
PID 1180 wrote to memory of 1108	1180	IMDCSC.exe	93
PID 1108 wrote to memory of 2260	1108	IMDCSC.exe	94
PID 1108 wrote to memory of 2260	1108	IMDCSC.exe	94
PID 1108 wrote to memory of 2260	1108	IMDCSC.exe	94
PID 2260 wrote to memory of 1048	2260	IMDCSC.exe	95
PID 2260 wrote to memory of 1048	2260	IMDCSC.exe	95
PID 2260 wrote to memory of 1048	2260	IMDCSC.exe	95
PID 1048 wrote to memory of 3428	1048	IMDCSC.exe	96
PID 1048 wrote to memory of 3428	1048	IMDCSC.exe	96
PID 1048 wrote to memory of 3428	1048	IMDCSC.exe	96
PID 3428 wrote to memory of 3016	3428	IMDCSC.exe	97
PID 3428 wrote to memory of 3016	3428	IMDCSC.exe	97
PID 3428 wrote to memory of 3016	3428	IMDCSC.exe	97
PID 3016 wrote to memory of 2620	3016	IMDCSC.exe	98
PID 3016 wrote to memory of 2620	3016	IMDCSC.exe	98
PID 3016 wrote to memory of 2620	3016	IMDCSC.exe	98
PID 2620 wrote to memory of 4768	2620	IMDCSC.exe	99
PID 2620 wrote to memory of 4768	2620	IMDCSC.exe	99
PID 2620 wrote to memory of 4768	2620	IMDCSC.exe	99
PID 4768 wrote to memory of 4464	4768	IMDCSC.exe	100
PID 4768 wrote to memory of 4464	4768	IMDCSC.exe	100
PID 4768 wrote to memory of 4464	4768	IMDCSC.exe	100
PID 4464 wrote to memory of 4408	4464	IMDCSC.exe	101
PID 4464 wrote to memory of 4408	4464	IMDCSC.exe	101
PID 4464 wrote to memory of 4408	4464	IMDCSC.exe	101
PID 4408 wrote to memory of 4536	4408	IMDCSC.exe	103
PID 4408 wrote to memory of 4536	4408	IMDCSC.exe	103
PID 4408 wrote to memory of 4536	4408	IMDCSC.exe	103
PID 4536 wrote to memory of 2600	4536	IMDCSC.exe	104
PID 4536 wrote to memory of 2600	4536	IMDCSC.exe	104
PID 4536 wrote to memory of 2600	4536	IMDCSC.exe	104
PID 2600 wrote to memory of 4512	2600	IMDCSC.exe	105
PID 2600 wrote to memory of 4512	2600	IMDCSC.exe	105
PID 2600 wrote to memory of 4512	2600	IMDCSC.exe	105
PID 4512 wrote to memory of 4648	4512	IMDCSC.exe	106
PID 4512 wrote to memory of 4648	4512	IMDCSC.exe	106
PID 4512 wrote to memory of 4648	4512	IMDCSC.exe	106
PID 4648 wrote to memory of 4832	4648	IMDCSC.exe	107
PID 4648 wrote to memory of 4832	4648	IMDCSC.exe	107
PID 4648 wrote to memory of 4832	4648	IMDCSC.exe	107
PID 4832 wrote to memory of 5020	4832	IMDCSC.exe	108
PID 4832 wrote to memory of 5020	4832	IMDCSC.exe	108
PID 4832 wrote to memory of 5020	4832	IMDCSC.exe	108
PID 5020 wrote to memory of 4932	5020	IMDCSC.exe	109
PID 5020 wrote to memory of 4932	5020	IMDCSC.exe	109
PID 5020 wrote to memory of 4932	5020	IMDCSC.exe	109
PID 4932 wrote to memory of 1000	4932	IMDCSC.exe	110
PID 4932 wrote to memory of 1000	4932	IMDCSC.exe	110
PID 4932 wrote to memory of 1000	4932	IMDCSC.exe	110
PID 1000 wrote to memory of 1012	1000	IMDCSC.exe	111
PID 1000 wrote to memory of 1012	1000	IMDCSC.exe	111
PID 1000 wrote to memory of 1012	1000	IMDCSC.exe	111
PID 1012 wrote to memory of 3060	1012	IMDCSC.exe	112

C:\Users\Admin\AppData\Local\Temp\lmaoo.vmp.exe
"C:\Users\Admin\AppData\Local\Temp\lmaoo.vmp.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4960
- C:\Windows\SysWOW64\7560\IMDCSC.exe
  "C:\Windows\system32\7560\IMDCSC.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4712
- - C:\Windows\SysWOW64\7560\IMDCSC.exe
    "C:\Windows\system32\7560\IMDCSC.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3808
  - - C:\Windows\SysWOW64\7560\IMDCSC.exe
      "C:\Windows\system32\7560\IMDCSC.exe"
      4⤵
      Modifies WinLogon for persistence
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Suspicious use of NtSetInformationThreadHideFromDebugger
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1180
    - - C:\Windows\SysWOW64\7560\IMDCSC.exe
        
        "C:\Windows\system32\7560\IMDCSC.exe"
        5⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1108
      - C:\Windows\SysWOW64\7560\IMDCSC.exe
        
        "C:\Windows\system32\7560\IMDCSC.exe"
        6⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\SysWOW64\7560\IMDCSC.exe
        
        "C:\Windows\system32\7560\IMDCSC.exe"
        7⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\SysWOW64\7560\IMDCSC.exe
        
        "C:\Windows\system32\7560\IMDCSC.exe"
        8⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3428
        
        C:\Windows\SysWOW64\7560\IMDCSC.exe
        
        "C:\Windows\system32\7560\IMDCSC.exe"
        9⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3016
        
        C:\Windows\SysWOW64\7560\IMDCSC.exe
        
        "C:\Windows\system32\7560\IMDCSC.exe"
        10⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\SysWOW64\7560\IMDCSC.exe
        
        "C:\Windows\system32\7560\IMDCSC.exe"
        11⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4768
        
        C:\Windows\SysWOW64\7560\IMDCSC.exe
        
        "C:\Windows\system32\7560\IMDCSC.exe"
        12⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4464
        
        C:\Windows\SysWOW64\7560\IMDCSC.exe
        
        "C:\Windows\system32\7560\IMDCSC.exe"
        13⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4408
        
        C:\Windows\SysWOW64\7560\IMDCSC.exe
        
        "C:\Windows\system32\7560\IMDCSC.exe"
        14⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4536
        
        C:\Windows\SysWOW64\7560\IMDCSC.exe
        
        "C:\Windows\system32\7560\IMDCSC.exe"
        15⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\SysWOW64\7560\IMDCSC.exe
        
        "C:\Windows\system32\7560\IMDCSC.exe"
        16⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4512
        
        C:\Windows\SysWOW64\7560\IMDCSC.exe
        
        "C:\Windows\system32\7560\IMDCSC.exe"
        17⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4648
        
        C:\Windows\SysWOW64\7560\IMDCSC.exe
        
        "C:\Windows\system32\7560\IMDCSC.exe"
        18⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Windows\SysWOW64\7560\IMDCSC.exe
        
        "C:\Windows\system32\7560\IMDCSC.exe"
        19⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\SysWOW64\7560\IMDCSC.exe
        
        "C:\Windows\system32\7560\IMDCSC.exe"
        20⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4932
        
        C:\Windows\SysWOW64\7560\IMDCSC.exe
        
        "C:\Windows\system32\7560\IMDCSC.exe"
        21⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1000
        
        C:\Windows\SysWOW64\7560\IMDCSC.exe
        
        "C:\Windows\system32\7560\IMDCSC.exe"
        22⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Windows\SysWOW64\7560\IMDCSC.exe
        
        "C:\Windows\system32\7560\IMDCSC.exe"
        23⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:3060
        
        C:\Windows\SysWOW64\7560\IMDCSC.exe
        
        "C:\Windows\system32\7560\IMDCSC.exe"
        24⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2736
        
        C:\Windows\SysWOW64\7560\IMDCSC.exe
        
        "C:\Windows\system32\7560\IMDCSC.exe"
        25⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:3840
        
        C:\Windows\SysWOW64\7560\IMDCSC.exe
        
        "C:\Windows\system32\7560\IMDCSC.exe"
        26⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2544
        
        C:\Windows\SysWOW64\7560\IMDCSC.exe
        
        "C:\Windows\system32\7560\IMDCSC.exe"
        27⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2724
        
        C:\Windows\SysWOW64\7560\IMDCSC.exe
        
        "C:\Windows\system32\7560\IMDCSC.exe"
        28⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:1408
        
        C:\Windows\SysWOW64\7560\IMDCSC.exe
        
        "C:\Windows\system32\7560\IMDCSC.exe"
        29⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2064
        
        C:\Windows\SysWOW64\7560\IMDCSC.exe
        
        "C:\Windows\system32\7560\IMDCSC.exe"
        30⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:1680
        
        C:\Windows\SysWOW64\7560\IMDCSC.exe
        
        "C:\Windows\system32\7560\IMDCSC.exe"
        31⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:4876
        
        C:\Windows\SysWOW64\7560\IMDCSC.exe
        
        "C:\Windows\system32\7560\IMDCSC.exe"
        32⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:1596
        
        C:\Windows\SysWOW64\7560\IMDCSC.exe
        
        "C:\Windows\system32\7560\IMDCSC.exe"
        33⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        
        PID:2752
        
        C:\Windows\SysWOW64\7560\IMDCSC.exe
        
        "C:\Windows\system32\7560\IMDCSC.exe"
        34⤵
        
        PID:4832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\7560\IMDCSC.exe

Filesize
5.4MB

MD5
22dfe2e162a9e17a9f4bf54816515f48

SHA1
036b06247202de051f074268c594ae6f7112a748

SHA256
064aa3e4c53ea3aff1023f9e7cb5c42acdc703526d63d6d69ad8cd46747bc077

SHA512
4ed84a603988353228df6443a2df51275d790cbc52120110d796ee9b19dad9d707077749b24483ffd60dc47e5da040b533737fc9ed0047084989924db52db359

Download Submit
memory/1048-85-0x0000000002960000-0x0000000002961000-memory.dmp

Filesize
4KB

Download
memory/1048-87-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/1048-88-0x0000000002AD0000-0x0000000002AD1000-memory.dmp

Filesize
4KB

Download
memory/1108-64-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

Filesize
4KB

Download
memory/1108-63-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

Filesize
4KB

Download
memory/1108-68-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/1108-70-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/1108-71-0x0000000000400000-0x0000000000D49000-memory.dmp

Filesize
9.3MB

Download
memory/1108-69-0x00000000029E0000-0x00000000029E1000-memory.dmp

Filesize
4KB

Download
memory/1108-67-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/1108-66-0x00000000029B0000-0x00000000029B1000-memory.dmp

Filesize
4KB

Download
memory/1180-60-0x0000000000400000-0x0000000000D49000-memory.dmp

Filesize
9.3MB

Download
memory/1180-54-0x00000000029A0000-0x00000000029A1000-memory.dmp

Filesize
4KB

Download
memory/1180-57-0x00000000029E0000-0x00000000029E1000-memory.dmp

Filesize
4KB

Download
memory/1180-56-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/1180-55-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/1180-53-0x0000000002970000-0x0000000002971000-memory.dmp

Filesize
4KB

Download
memory/1180-59-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/1180-58-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/1180-52-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/2260-82-0x0000000000400000-0x0000000000D49000-memory.dmp

Filesize
9.3MB

Download
memory/2260-80-0x0000000000F40000-0x0000000000F41000-memory.dmp

Filesize
4KB

Download
memory/2260-81-0x0000000000F60000-0x0000000000F61000-memory.dmp

Filesize
4KB

Download
memory/2260-74-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

Filesize
4KB

Download
memory/2260-79-0x0000000000F30000-0x0000000000F31000-memory.dmp

Filesize
4KB

Download
memory/2260-75-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

Filesize
4KB

Download
memory/2260-77-0x0000000000F10000-0x0000000000F11000-memory.dmp

Filesize
4KB

Download
memory/2260-78-0x0000000000F20000-0x0000000000F21000-memory.dmp

Filesize
4KB

Download
memory/3808-43-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/3808-41-0x0000000000E00000-0x0000000000E01000-memory.dmp

Filesize
4KB

Download
memory/3808-44-0x0000000002AD0000-0x0000000002AD1000-memory.dmp

Filesize
4KB

Download
memory/3808-45-0x0000000002AF0000-0x0000000002AF1000-memory.dmp

Filesize
4KB

Download
memory/3808-46-0x0000000002B00000-0x0000000002B01000-memory.dmp

Filesize
4KB

Download
memory/3808-48-0x0000000000400000-0x0000000000D49000-memory.dmp

Filesize
9.3MB

Download
memory/3808-42-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/3808-40-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/4712-50-0x0000000000400000-0x0000000000D49000-memory.dmp

Filesize
9.3MB

Download
memory/4712-34-0x0000000000400000-0x0000000000D49000-memory.dmp

Filesize
9.3MB

Download
memory/4712-38-0x0000000000400000-0x0000000000D49000-memory.dmp

Filesize
9.3MB

Download
memory/4712-25-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/4712-26-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

Filesize
4KB

Download
memory/4712-27-0x0000000000F00000-0x0000000000F01000-memory.dmp

Filesize
4KB

Download
memory/4712-28-0x00000000028B0000-0x00000000028B1000-memory.dmp

Filesize
4KB

Download
memory/4712-29-0x00000000028C0000-0x00000000028C1000-memory.dmp

Filesize
4KB

Download
memory/4712-30-0x00000000028D0000-0x00000000028D1000-memory.dmp

Filesize
4KB

Download
memory/4712-33-0x0000000002B10000-0x0000000002B11000-memory.dmp

Filesize
4KB

Download
memory/4712-37-0x0000000000400000-0x0000000000D49000-memory.dmp

Filesize
9.3MB

Download
memory/4712-32-0x00000000028E0000-0x00000000028E1000-memory.dmp

Filesize
4KB

Download
memory/4960-31-0x00000000004A7000-0x00000000007DD000-memory.dmp

Filesize
3.2MB

Download
memory/4960-0-0x00000000004A7000-0x00000000007DD000-memory.dmp

Filesize
3.2MB

Download
memory/4960-36-0x0000000000400000-0x0000000000D49000-memory.dmp

Filesize
9.3MB

Download
memory/4960-13-0x0000000000400000-0x0000000000D49000-memory.dmp

Filesize
9.3MB

Download
memory/4960-3-0x0000000002BB0000-0x0000000002BB1000-memory.dmp

Filesize
4KB

Download
memory/4960-4-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

Filesize
4KB

Download
memory/4960-5-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

Filesize
4KB

Download
memory/4960-6-0x0000000002C00000-0x0000000002C01000-memory.dmp

Filesize
4KB

Download
memory/4960-12-0x0000000000400000-0x0000000000D49000-memory.dmp

Filesize
9.3MB

Download
memory/4960-7-0x0000000002C10000-0x0000000002C11000-memory.dmp

Filesize
4KB

Download
memory/4960-8-0x0000000002C20000-0x0000000002C21000-memory.dmp

Filesize
4KB

Download
memory/4960-10-0x0000000000400000-0x0000000000D49000-memory.dmp

Filesize
9.3MB

Download
memory/4960-9-0x0000000002C30000-0x0000000002C31000-memory.dmp

Filesize
4KB

Download
memory/4960-2-0x0000000002BA0000-0x0000000002BA1000-memory.dmp

Filesize
4KB

Download
memory/4960-1-0x0000000000400000-0x0000000000D49000-memory.dmp

Filesize
9.3MB

Download