darkcomet | 668c940714a02ba7bfa0aa4cbefbe8f396a0250060d5c7063c729f8fcc57a39c

Analysis

max time kernel
151s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 16:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

quotations.scr
Size

869KB
MD5

b3744139e8d3392ae463249ff04f917f
SHA1

89094e0d61c52141499bf3d9b71db66486ac7d87
SHA256

6d1d93c0f1a984872cb722531f622b103128249e819e43c1378fecf2a58a09bb
SHA512

f5aaa00fbad5337fda4808adea1d18931a4d5dd2bbc67cf5348f18f3438ca8878e799404b210702f0f0c6ed0c2a24c73ec9e8932d7b02ec7c997c85ed65f2712
SSDEEP

12288:1qQADfHsnjusfToB0+cARh97RPyGSTciWBjKchwebSSieLneTO7uA8a:HADfHWyssB0ER1PyUB3GebSSiweq7uA

Score

10^/10

darkcomet guest16 persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

house10i.ddns.net:1604

Mutex

DC_MUTEX-L6GEJVR

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
uvQYcLsQZYrq
install
true
offline_keylogger
true
persistence
false
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

vbc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe"	vbc.exe

Executes dropped EXE 7 IoCs

Processes:

IpOverUsbSvrc.exemsdcsc.exeAcctres.exeIpOverUsbSvrc.exeIpOverUsbSvrc.exeAcctres.exeIpOverUsbSvrc.exe

pid process

2036 IpOverUsbSvrc.exe
1372 msdcsc.exe
820 Acctres.exe
1260 IpOverUsbSvrc.exe
1552 IpOverUsbSvrc.exe
1492 Acctres.exe
1716 IpOverUsbSvrc.exe
Loads dropped DLL 4 IoCs

Processes:

quotations.scrvbc.exeIpOverUsbSvrc.exetakshost.exe

pid process

1976 quotations.scr
972 vbc.exe
2036 IpOverUsbSvrc.exe
1876 takshost.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
2036	IpOverUsbSvrc.exe
1372	msdcsc.exe
820	Acctres.exe
1260	IpOverUsbSvrc.exe
1552	IpOverUsbSvrc.exe
1492	Acctres.exe
1716	IpOverUsbSvrc.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vbc.exeIpOverUsbSvrc.exeIpOverUsbSvrc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe"	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Multimedia Class Scheduler = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IpOverUsbSvrc.exe"	IpOverUsbSvrc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Multimedia Class Scheduler = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\IpOverUsbSvrc.exe"	IpOverUsbSvrc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

quotations.scr

description pid process target process

PID 1976 set thread context of 972 1976 quotations.scr vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 1976 set thread context of 972	1976	quotations.scr	vbc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

quotations.scrIpOverUsbSvrc.exeAcctres.exe

pid	process
1976	quotations.scr
1976	quotations.scr
1976	quotations.scr
1976	quotations.scr
1976	quotations.scr
1976	quotations.scr
1976	quotations.scr
1976	quotations.scr
1976	quotations.scr
1976	quotations.scr
1976	quotations.scr
1976	quotations.scr
1976	quotations.scr
1976	quotations.scr
1976	quotations.scr
1976	quotations.scr
1976	quotations.scr
1976	quotations.scr
1976	quotations.scr
1976	quotations.scr
1976	quotations.scr
1976	quotations.scr
1976	quotations.scr
1976	quotations.scr
2036	IpOverUsbSvrc.exe
1976	quotations.scr
1976	quotations.scr
1976	quotations.scr
1976	quotations.scr
1976	quotations.scr
1976	quotations.scr
1976	quotations.scr
1976	quotations.scr
1976	quotations.scr
1976	quotations.scr
1976	quotations.scr
1976	quotations.scr
1976	quotations.scr
1976	quotations.scr
1976	quotations.scr
1976	quotations.scr
2036	IpOverUsbSvrc.exe
1976	quotations.scr
1976	quotations.scr
2036	IpOverUsbSvrc.exe
1976	quotations.scr
1976	quotations.scr
2036	IpOverUsbSvrc.exe
1976	quotations.scr
1976	quotations.scr
2036	IpOverUsbSvrc.exe
1976	quotations.scr
1976	quotations.scr
2036	IpOverUsbSvrc.exe
1976	quotations.scr
820	Acctres.exe
820	Acctres.exe
820	Acctres.exe
820	Acctres.exe
820	Acctres.exe
820	Acctres.exe
820	Acctres.exe
820	Acctres.exe
820	Acctres.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

quotations.scr

pid process

1976 quotations.scr

Suspicious use of AdjustPrivilegeToken 29 IoCs

Processes:

quotations.scrvbc.exeIpOverUsbSvrc.exeAcctres.exetakshost.exeIpOverUsbSvrc.exeAcctres.exe

description	pid	process
Token: SeDebugPrivilege	1976	quotations.scr
Token: SeIncreaseQuotaPrivilege	972	vbc.exe
Token: SeSecurityPrivilege	972	vbc.exe
Token: SeTakeOwnershipPrivilege	972	vbc.exe
Token: SeLoadDriverPrivilege	972	vbc.exe
Token: SeSystemProfilePrivilege	972	vbc.exe
Token: SeSystemtimePrivilege	972	vbc.exe
Token: SeProfSingleProcessPrivilege	972	vbc.exe
Token: SeIncBasePriorityPrivilege	972	vbc.exe
Token: SeCreatePagefilePrivilege	972	vbc.exe
Token: SeBackupPrivilege	972	vbc.exe
Token: SeRestorePrivilege	972	vbc.exe
Token: SeShutdownPrivilege	972	vbc.exe
Token: SeDebugPrivilege	972	vbc.exe
Token: SeSystemEnvironmentPrivilege	972	vbc.exe
Token: SeChangeNotifyPrivilege	972	vbc.exe
Token: SeRemoteShutdownPrivilege	972	vbc.exe
Token: SeUndockPrivilege	972	vbc.exe
Token: SeManageVolumePrivilege	972	vbc.exe
Token: SeImpersonatePrivilege	972	vbc.exe
Token: SeCreateGlobalPrivilege	972	vbc.exe
Token: 33	972	vbc.exe
Token: 34	972	vbc.exe
Token: 35	972	vbc.exe
Token: SeDebugPrivilege	2036	IpOverUsbSvrc.exe
Token: SeDebugPrivilege	820	Acctres.exe
Token: SeDebugPrivilege	1876	takshost.exe
Token: SeDebugPrivilege	1552	IpOverUsbSvrc.exe
Token: SeDebugPrivilege	1492	Acctres.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

quotations.scrvbc.exeIpOverUsbSvrc.exeAcctres.exetakshost.exeIpOverUsbSvrc.exe

description	pid	process	target process
PID 1976 wrote to memory of 972	1976	quotations.scr	vbc.exe
PID 1976 wrote to memory of 972	1976	quotations.scr	vbc.exe
PID 1976 wrote to memory of 972	1976	quotations.scr	vbc.exe
PID 1976 wrote to memory of 972	1976	quotations.scr	vbc.exe
PID 1976 wrote to memory of 972	1976	quotations.scr	vbc.exe
PID 1976 wrote to memory of 972	1976	quotations.scr	vbc.exe
PID 1976 wrote to memory of 972	1976	quotations.scr	vbc.exe
PID 1976 wrote to memory of 972	1976	quotations.scr	vbc.exe
PID 1976 wrote to memory of 972	1976	quotations.scr	vbc.exe
PID 1976 wrote to memory of 972	1976	quotations.scr	vbc.exe
PID 1976 wrote to memory of 972	1976	quotations.scr	vbc.exe
PID 1976 wrote to memory of 972	1976	quotations.scr	vbc.exe
PID 1976 wrote to memory of 972	1976	quotations.scr	vbc.exe
PID 1976 wrote to memory of 2036	1976	quotations.scr	IpOverUsbSvrc.exe
PID 1976 wrote to memory of 2036	1976	quotations.scr	IpOverUsbSvrc.exe
PID 1976 wrote to memory of 2036	1976	quotations.scr	IpOverUsbSvrc.exe
PID 1976 wrote to memory of 2036	1976	quotations.scr	IpOverUsbSvrc.exe
PID 972 wrote to memory of 708	972	vbc.exe	notepad.exe
PID 972 wrote to memory of 708	972	vbc.exe	notepad.exe
PID 972 wrote to memory of 708	972	vbc.exe	notepad.exe
PID 972 wrote to memory of 708	972	vbc.exe	notepad.exe
PID 972 wrote to memory of 708	972	vbc.exe	notepad.exe
PID 972 wrote to memory of 708	972	vbc.exe	notepad.exe
PID 972 wrote to memory of 708	972	vbc.exe	notepad.exe
PID 972 wrote to memory of 708	972	vbc.exe	notepad.exe
PID 972 wrote to memory of 708	972	vbc.exe	notepad.exe
PID 972 wrote to memory of 708	972	vbc.exe	notepad.exe
PID 972 wrote to memory of 708	972	vbc.exe	notepad.exe
PID 972 wrote to memory of 708	972	vbc.exe	notepad.exe
PID 972 wrote to memory of 708	972	vbc.exe	notepad.exe
PID 972 wrote to memory of 708	972	vbc.exe	notepad.exe
PID 972 wrote to memory of 708	972	vbc.exe	notepad.exe
PID 972 wrote to memory of 708	972	vbc.exe	notepad.exe
PID 972 wrote to memory of 708	972	vbc.exe	notepad.exe
PID 972 wrote to memory of 708	972	vbc.exe	notepad.exe
PID 972 wrote to memory of 1372	972	vbc.exe	msdcsc.exe
PID 972 wrote to memory of 1372	972	vbc.exe	msdcsc.exe
PID 972 wrote to memory of 1372	972	vbc.exe	msdcsc.exe
PID 972 wrote to memory of 1372	972	vbc.exe	msdcsc.exe
PID 2036 wrote to memory of 820	2036	IpOverUsbSvrc.exe	Acctres.exe
PID 2036 wrote to memory of 820	2036	IpOverUsbSvrc.exe	Acctres.exe
PID 2036 wrote to memory of 820	2036	IpOverUsbSvrc.exe	Acctres.exe
PID 2036 wrote to memory of 820	2036	IpOverUsbSvrc.exe	Acctres.exe
PID 1976 wrote to memory of 1876	1976	quotations.scr	takshost.exe
PID 1976 wrote to memory of 1876	1976	quotations.scr	takshost.exe
PID 1976 wrote to memory of 1876	1976	quotations.scr	takshost.exe
PID 1976 wrote to memory of 1876	1976	quotations.scr	takshost.exe
PID 820 wrote to memory of 1260	820	Acctres.exe	IpOverUsbSvrc.exe
PID 820 wrote to memory of 1260	820	Acctres.exe	IpOverUsbSvrc.exe
PID 820 wrote to memory of 1260	820	Acctres.exe	IpOverUsbSvrc.exe
PID 820 wrote to memory of 1260	820	Acctres.exe	IpOverUsbSvrc.exe
PID 1876 wrote to memory of 1552	1876	takshost.exe	IpOverUsbSvrc.exe
PID 1876 wrote to memory of 1552	1876	takshost.exe	IpOverUsbSvrc.exe
PID 1876 wrote to memory of 1552	1876	takshost.exe	IpOverUsbSvrc.exe
PID 1876 wrote to memory of 1552	1876	takshost.exe	IpOverUsbSvrc.exe
PID 1552 wrote to memory of 1492	1552	IpOverUsbSvrc.exe	Acctres.exe
PID 1552 wrote to memory of 1492	1552	IpOverUsbSvrc.exe	Acctres.exe
PID 1552 wrote to memory of 1492	1552	IpOverUsbSvrc.exe	Acctres.exe
PID 1552 wrote to memory of 1492	1552	IpOverUsbSvrc.exe	Acctres.exe
PID 1876 wrote to memory of 1716	1876	takshost.exe	IpOverUsbSvrc.exe
PID 1876 wrote to memory of 1716	1876	takshost.exe	IpOverUsbSvrc.exe
PID 1876 wrote to memory of 1716	1876	takshost.exe	IpOverUsbSvrc.exe
PID 1876 wrote to memory of 1716	1876	takshost.exe	IpOverUsbSvrc.exe

C:\Users\Admin\AppData\Local\Temp\quotations.scr
"C:\Users\Admin\AppData\Local\Temp\quotations.scr" /S
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:972

C:\Windows\SysWOW64\notepad.exe
notepad
3⤵
PID:708

C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"
3⤵
- Executes dropped EXE
PID:1372

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:820

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe"
4⤵
- Executes dropped EXE
PID:1260

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\takshost.exe"
2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1876

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1552

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1492

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe"
3⤵
- Executes dropped EXE
PID:1716

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
Filesize
869KB

MD5
b3744139e8d3392ae463249ff04f917f

SHA1
89094e0d61c52141499bf3d9b71db66486ac7d87

SHA256
6d1d93c0f1a984872cb722531f622b103128249e819e43c1378fecf2a58a09bb

SHA512
f5aaa00fbad5337fda4808adea1d18931a4d5dd2bbc67cf5348f18f3438ca8878e799404b210702f0f0c6ed0c2a24c73ec9e8932d7b02ec7c997c85ed65f2712

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
Filesize
869KB

MD5
b3744139e8d3392ae463249ff04f917f

SHA1
89094e0d61c52141499bf3d9b71db66486ac7d87

SHA256
6d1d93c0f1a984872cb722531f622b103128249e819e43c1378fecf2a58a09bb

SHA512
f5aaa00fbad5337fda4808adea1d18931a4d5dd2bbc67cf5348f18f3438ca8878e799404b210702f0f0c6ed0c2a24c73ec9e8932d7b02ec7c997c85ed65f2712

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
Filesize
869KB

MD5
b3744139e8d3392ae463249ff04f917f

SHA1
89094e0d61c52141499bf3d9b71db66486ac7d87

SHA256
6d1d93c0f1a984872cb722531f622b103128249e819e43c1378fecf2a58a09bb

SHA512
f5aaa00fbad5337fda4808adea1d18931a4d5dd2bbc67cf5348f18f3438ca8878e799404b210702f0f0c6ed0c2a24c73ec9e8932d7b02ec7c997c85ed65f2712

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
Filesize
869KB

MD5
b3744139e8d3392ae463249ff04f917f

SHA1
89094e0d61c52141499bf3d9b71db66486ac7d87

SHA256
6d1d93c0f1a984872cb722531f622b103128249e819e43c1378fecf2a58a09bb

SHA512
f5aaa00fbad5337fda4808adea1d18931a4d5dd2bbc67cf5348f18f3438ca8878e799404b210702f0f0c6ed0c2a24c73ec9e8932d7b02ec7c997c85ed65f2712

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe
Filesize
17KB

MD5
09b171f5148c39fbc02e59ec67f57a5c

SHA1
00d7926037412a5fc22819bb1cfa8d698e9223fe

SHA256
6117d1517e1953ffa068642e78e868ab819ffd0bfc448cfa37a01971d32caad1

SHA512
5267cc5effc1cc9401cb3f36c2044e524e0f8b58e5d2ca7d4150824e8c53ebe832a98288368694e4e86ff384bcad89bafa197a8dd19164d17d229ca8b9bb219d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe
Filesize
17KB

MD5
09b171f5148c39fbc02e59ec67f57a5c

SHA1
00d7926037412a5fc22819bb1cfa8d698e9223fe

SHA256
6117d1517e1953ffa068642e78e868ab819ffd0bfc448cfa37a01971d32caad1

SHA512
5267cc5effc1cc9401cb3f36c2044e524e0f8b58e5d2ca7d4150824e8c53ebe832a98288368694e4e86ff384bcad89bafa197a8dd19164d17d229ca8b9bb219d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe
Filesize
17KB

MD5
09b171f5148c39fbc02e59ec67f57a5c

SHA1
00d7926037412a5fc22819bb1cfa8d698e9223fe

SHA256
6117d1517e1953ffa068642e78e868ab819ffd0bfc448cfa37a01971d32caad1

SHA512
5267cc5effc1cc9401cb3f36c2044e524e0f8b58e5d2ca7d4150824e8c53ebe832a98288368694e4e86ff384bcad89bafa197a8dd19164d17d229ca8b9bb219d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe
Filesize
17KB

MD5
09b171f5148c39fbc02e59ec67f57a5c

SHA1
00d7926037412a5fc22819bb1cfa8d698e9223fe

SHA256
6117d1517e1953ffa068642e78e868ab819ffd0bfc448cfa37a01971d32caad1

SHA512
5267cc5effc1cc9401cb3f36c2044e524e0f8b58e5d2ca7d4150824e8c53ebe832a98288368694e4e86ff384bcad89bafa197a8dd19164d17d229ca8b9bb219d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe
Filesize
17KB

MD5
09b171f5148c39fbc02e59ec67f57a5c

SHA1
00d7926037412a5fc22819bb1cfa8d698e9223fe

SHA256
6117d1517e1953ffa068642e78e868ab819ffd0bfc448cfa37a01971d32caad1

SHA512
5267cc5effc1cc9401cb3f36c2044e524e0f8b58e5d2ca7d4150824e8c53ebe832a98288368694e4e86ff384bcad89bafa197a8dd19164d17d229ca8b9bb219d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe
Filesize
17KB

MD5
09b171f5148c39fbc02e59ec67f57a5c

SHA1
00d7926037412a5fc22819bb1cfa8d698e9223fe

SHA256
6117d1517e1953ffa068642e78e868ab819ffd0bfc448cfa37a01971d32caad1

SHA512
5267cc5effc1cc9401cb3f36c2044e524e0f8b58e5d2ca7d4150824e8c53ebe832a98288368694e4e86ff384bcad89bafa197a8dd19164d17d229ca8b9bb219d

Download Submit
\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Acctres.exe
Filesize
869KB

MD5
b3744139e8d3392ae463249ff04f917f

SHA1
89094e0d61c52141499bf3d9b71db66486ac7d87

SHA256
6d1d93c0f1a984872cb722531f622b103128249e819e43c1378fecf2a58a09bb

SHA512
f5aaa00fbad5337fda4808adea1d18931a4d5dd2bbc67cf5348f18f3438ca8878e799404b210702f0f0c6ed0c2a24c73ec9e8932d7b02ec7c997c85ed65f2712

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe
Filesize
17KB

MD5
09b171f5148c39fbc02e59ec67f57a5c

SHA1
00d7926037412a5fc22819bb1cfa8d698e9223fe

SHA256
6117d1517e1953ffa068642e78e868ab819ffd0bfc448cfa37a01971d32caad1

SHA512
5267cc5effc1cc9401cb3f36c2044e524e0f8b58e5d2ca7d4150824e8c53ebe832a98288368694e4e86ff384bcad89bafa197a8dd19164d17d229ca8b9bb219d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\IpOverUsbSvrc.exe
Filesize
17KB

MD5
09b171f5148c39fbc02e59ec67f57a5c

SHA1
00d7926037412a5fc22819bb1cfa8d698e9223fe

SHA256
6117d1517e1953ffa068642e78e868ab819ffd0bfc448cfa37a01971d32caad1

SHA512
5267cc5effc1cc9401cb3f36c2044e524e0f8b58e5d2ca7d4150824e8c53ebe832a98288368694e4e86ff384bcad89bafa197a8dd19164d17d229ca8b9bb219d

Download Submit
memory/708-83-0x0000000000000000-mapping.dmp

Download
memory/820-93-0x0000000000000000-mapping.dmp

Download
memory/820-96-0x0000000073E20000-0x00000000743CB000-memory.dmp

Filesize
5.7MB

Download
memory/820-97-0x0000000073E20000-0x00000000743CB000-memory.dmp

Filesize
5.7MB

Download
memory/820-108-0x0000000073E20000-0x00000000743CB000-memory.dmp

Filesize
5.7MB

Download
memory/972-73-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/972-66-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/972-57-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/972-77-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/972-58-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/972-89-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/972-60-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/972-75-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/972-62-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/972-72-0x000000000048F888-mapping.dmp

Download
memory/972-71-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/972-69-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/972-67-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/972-64-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1260-106-0x0000000073E20000-0x00000000743CB000-memory.dmp

Filesize
5.7MB

Download
memory/1260-103-0x0000000000000000-mapping.dmp

Download
memory/1260-109-0x0000000073E20000-0x00000000743CB000-memory.dmp

Filesize
5.7MB

Download
memory/1372-86-0x0000000000000000-mapping.dmp

Download
memory/1492-122-0x0000000073E20000-0x00000000743CB000-memory.dmp

Filesize
5.7MB

Download
memory/1492-121-0x0000000073E20000-0x00000000743CB000-memory.dmp

Filesize
5.7MB

Download
memory/1492-117-0x0000000000000000-mapping.dmp

Download
memory/1552-115-0x0000000073E20000-0x00000000743CB000-memory.dmp

Filesize
5.7MB

Download
memory/1552-123-0x0000000073E20000-0x00000000743CB000-memory.dmp

Filesize
5.7MB

Download
memory/1552-111-0x0000000000000000-mapping.dmp

Download
memory/1552-116-0x0000000073E20000-0x00000000743CB000-memory.dmp

Filesize
5.7MB

Download
memory/1716-127-0x0000000073E20000-0x00000000743CB000-memory.dmp

Filesize
5.7MB

Download
memory/1716-124-0x0000000000000000-mapping.dmp

Download
memory/1876-107-0x0000000073E20000-0x00000000743CB000-memory.dmp

Filesize
5.7MB

Download
memory/1876-98-0x0000000000000000-mapping.dmp

Download
memory/1876-101-0x0000000073E20000-0x00000000743CB000-memory.dmp

Filesize
5.7MB

Download
memory/1976-54-0x0000000074AB1000-0x0000000074AB3000-memory.dmp

Filesize
8KB

Download
memory/1976-56-0x0000000073E20000-0x00000000743CB000-memory.dmp

Filesize
5.7MB

Download
memory/1976-100-0x0000000073E20000-0x00000000743CB000-memory.dmp

Filesize
5.7MB

Download
memory/1976-55-0x0000000073E20000-0x00000000743CB000-memory.dmp

Filesize
5.7MB

Download
memory/2036-78-0x0000000000000000-mapping.dmp

Download
memory/2036-90-0x0000000073E20000-0x00000000743CB000-memory.dmp

Filesize
5.7MB

Download
memory/2036-82-0x0000000073E20000-0x00000000743CB000-memory.dmp

Filesize
5.7MB

Download
memory/2036-102-0x0000000073E20000-0x00000000743CB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads