darkcomet | d64c5845a7fee27ab6942e582101c6a7c02e8df5341eaeaf6e71b7a4cb9f4e5d

Analysis

max time kernel
150s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 19:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d64c5845a7fee27ab6942e582101c6a7c02e8df5341eaeaf6e71b7a4cb9f4e5d.exe
Size

1.1MB
MD5

5215daaf249f78c9b132f1563bc4248e
SHA1

a5e64d9f47c56f8aa9ad5ad5bf8f52ab66da9ec5
SHA256

d64c5845a7fee27ab6942e582101c6a7c02e8df5341eaeaf6e71b7a4cb9f4e5d
SHA512

9da26d64021173bdaf4460d6f926e8af4a9af99f0ed9721e5df90fc7b20b687bf200b58b9faa2f0d4e5cff58e847abd16714d22120a29f82c760971c096b5f2e
SSDEEP

12288:ACrnoS0SkBEkazsG2sBpAY9QxLmpl2Ofe8KFFU0H/42fG31oVekukHzIOI8AAf3k:3CA+4pAYnKFFVH/01ytYf8Amse/edoa

Score

10^/10

darkcomet isrstealer bot persistence rat stealer trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

BOT

webshark.sytes.net:42250

Mutex

DC_MUTEX-9KT7NBA

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
ptRibxwp6WD9
install
true
offline_keylogger
false
password
pignouf64
persistence
false
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 7 IoCs

resource	yara_rule
behavioral1/files/0x000500000000b2d2-57.dat	family_isrstealer
behavioral1/files/0x000500000000b2d2-58.dat	family_isrstealer
behavioral1/files/0x000500000000b2d2-60.dat	family_isrstealer
behavioral1/files/0x000500000000b2d2-82.dat	family_isrstealer
behavioral1/files/0x000500000000b2d2-83.dat	family_isrstealer
behavioral1/files/0x000500000000b2d2-84.dat	family_isrstealer
behavioral1/files/0x000500000000b2d2-86.dat	family_isrstealer

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	d64c5845a7fee27ab6942e582101c6a7c02e8df5341eaeaf6e71b7a4cb9f4e5d.exe

Executes dropped EXE 4 IoCs

pid	Process
1684	ISR 0.4.exe
1136	msdcsc.exe
560	ISR 0.4.exe
1568	msdcsc.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/296-65-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/296-67-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/296-68-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/296-70-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/296-72-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/296-73-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/296-78-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1568-100-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1568-101-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1568-102-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1568-103-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1568-104-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral1/memory/1568-105-0x0000000000400000-0x00000000004BA000-memory.dmp	upx

Loads dropped DLL 6 IoCs

pid	Process
1492	d64c5845a7fee27ab6942e582101c6a7c02e8df5341eaeaf6e71b7a4cb9f4e5d.exe
1492	d64c5845a7fee27ab6942e582101c6a7c02e8df5341eaeaf6e71b7a4cb9f4e5d.exe
296	d64c5845a7fee27ab6942e582101c6a7c02e8df5341eaeaf6e71b7a4cb9f4e5d.exe
296	d64c5845a7fee27ab6942e582101c6a7c02e8df5341eaeaf6e71b7a4cb9f4e5d.exe
1136	msdcsc.exe
1136	msdcsc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	d64c5845a7fee27ab6942e582101c6a7c02e8df5341eaeaf6e71b7a4cb9f4e5d.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1492 set thread context of 296	1492	d64c5845a7fee27ab6942e582101c6a7c02e8df5341eaeaf6e71b7a4cb9f4e5d.exe	28
PID 1136 set thread context of 1568	1136	msdcsc.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	296	d64c5845a7fee27ab6942e582101c6a7c02e8df5341eaeaf6e71b7a4cb9f4e5d.exe
Token: SeSecurityPrivilege	296	d64c5845a7fee27ab6942e582101c6a7c02e8df5341eaeaf6e71b7a4cb9f4e5d.exe
Token: SeTakeOwnershipPrivilege	296	d64c5845a7fee27ab6942e582101c6a7c02e8df5341eaeaf6e71b7a4cb9f4e5d.exe
Token: SeLoadDriverPrivilege	296	d64c5845a7fee27ab6942e582101c6a7c02e8df5341eaeaf6e71b7a4cb9f4e5d.exe
Token: SeSystemProfilePrivilege	296	d64c5845a7fee27ab6942e582101c6a7c02e8df5341eaeaf6e71b7a4cb9f4e5d.exe
Token: SeSystemtimePrivilege	296	d64c5845a7fee27ab6942e582101c6a7c02e8df5341eaeaf6e71b7a4cb9f4e5d.exe
Token: SeProfSingleProcessPrivilege	296	d64c5845a7fee27ab6942e582101c6a7c02e8df5341eaeaf6e71b7a4cb9f4e5d.exe
Token: SeIncBasePriorityPrivilege	296	d64c5845a7fee27ab6942e582101c6a7c02e8df5341eaeaf6e71b7a4cb9f4e5d.exe
Token: SeCreatePagefilePrivilege	296	d64c5845a7fee27ab6942e582101c6a7c02e8df5341eaeaf6e71b7a4cb9f4e5d.exe
Token: SeBackupPrivilege	296	d64c5845a7fee27ab6942e582101c6a7c02e8df5341eaeaf6e71b7a4cb9f4e5d.exe
Token: SeRestorePrivilege	296	d64c5845a7fee27ab6942e582101c6a7c02e8df5341eaeaf6e71b7a4cb9f4e5d.exe
Token: SeShutdownPrivilege	296	d64c5845a7fee27ab6942e582101c6a7c02e8df5341eaeaf6e71b7a4cb9f4e5d.exe
Token: SeDebugPrivilege	296	d64c5845a7fee27ab6942e582101c6a7c02e8df5341eaeaf6e71b7a4cb9f4e5d.exe
Token: SeSystemEnvironmentPrivilege	296	d64c5845a7fee27ab6942e582101c6a7c02e8df5341eaeaf6e71b7a4cb9f4e5d.exe
Token: SeChangeNotifyPrivilege	296	d64c5845a7fee27ab6942e582101c6a7c02e8df5341eaeaf6e71b7a4cb9f4e5d.exe
Token: SeRemoteShutdownPrivilege	296	d64c5845a7fee27ab6942e582101c6a7c02e8df5341eaeaf6e71b7a4cb9f4e5d.exe
Token: SeUndockPrivilege	296	d64c5845a7fee27ab6942e582101c6a7c02e8df5341eaeaf6e71b7a4cb9f4e5d.exe
Token: SeManageVolumePrivilege	296	d64c5845a7fee27ab6942e582101c6a7c02e8df5341eaeaf6e71b7a4cb9f4e5d.exe
Token: SeImpersonatePrivilege	296	d64c5845a7fee27ab6942e582101c6a7c02e8df5341eaeaf6e71b7a4cb9f4e5d.exe
Token: SeCreateGlobalPrivilege	296	d64c5845a7fee27ab6942e582101c6a7c02e8df5341eaeaf6e71b7a4cb9f4e5d.exe
Token: 33	296	d64c5845a7fee27ab6942e582101c6a7c02e8df5341eaeaf6e71b7a4cb9f4e5d.exe
Token: 34	296	d64c5845a7fee27ab6942e582101c6a7c02e8df5341eaeaf6e71b7a4cb9f4e5d.exe
Token: 35	296	d64c5845a7fee27ab6942e582101c6a7c02e8df5341eaeaf6e71b7a4cb9f4e5d.exe
Token: SeIncreaseQuotaPrivilege	1568	msdcsc.exe
Token: SeSecurityPrivilege	1568	msdcsc.exe
Token: SeTakeOwnershipPrivilege	1568	msdcsc.exe
Token: SeLoadDriverPrivilege	1568	msdcsc.exe
Token: SeSystemProfilePrivilege	1568	msdcsc.exe
Token: SeSystemtimePrivilege	1568	msdcsc.exe
Token: SeProfSingleProcessPrivilege	1568	msdcsc.exe
Token: SeIncBasePriorityPrivilege	1568	msdcsc.exe
Token: SeCreatePagefilePrivilege	1568	msdcsc.exe
Token: SeBackupPrivilege	1568	msdcsc.exe
Token: SeRestorePrivilege	1568	msdcsc.exe
Token: SeShutdownPrivilege	1568	msdcsc.exe
Token: SeDebugPrivilege	1568	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	1568	msdcsc.exe
Token: SeChangeNotifyPrivilege	1568	msdcsc.exe
Token: SeRemoteShutdownPrivilege	1568	msdcsc.exe
Token: SeUndockPrivilege	1568	msdcsc.exe
Token: SeManageVolumePrivilege	1568	msdcsc.exe
Token: SeImpersonatePrivilege	1568	msdcsc.exe
Token: SeCreateGlobalPrivilege	1568	msdcsc.exe
Token: 33	1568	msdcsc.exe
Token: 34	1568	msdcsc.exe
Token: 35	1568	msdcsc.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1492	d64c5845a7fee27ab6942e582101c6a7c02e8df5341eaeaf6e71b7a4cb9f4e5d.exe
1684	ISR 0.4.exe
1684	ISR 0.4.exe
1136	msdcsc.exe
560	ISR 0.4.exe
560	ISR 0.4.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1492 wrote to memory of 1684	1492	d64c5845a7fee27ab6942e582101c6a7c02e8df5341eaeaf6e71b7a4cb9f4e5d.exe	27
PID 1492 wrote to memory of 1684	1492	d64c5845a7fee27ab6942e582101c6a7c02e8df5341eaeaf6e71b7a4cb9f4e5d.exe	27
PID 1492 wrote to memory of 1684	1492	d64c5845a7fee27ab6942e582101c6a7c02e8df5341eaeaf6e71b7a4cb9f4e5d.exe	27
PID 1492 wrote to memory of 1684	1492	d64c5845a7fee27ab6942e582101c6a7c02e8df5341eaeaf6e71b7a4cb9f4e5d.exe	27
PID 1492 wrote to memory of 296	1492	d64c5845a7fee27ab6942e582101c6a7c02e8df5341eaeaf6e71b7a4cb9f4e5d.exe	28
PID 1492 wrote to memory of 296	1492	d64c5845a7fee27ab6942e582101c6a7c02e8df5341eaeaf6e71b7a4cb9f4e5d.exe	28
PID 1492 wrote to memory of 296	1492	d64c5845a7fee27ab6942e582101c6a7c02e8df5341eaeaf6e71b7a4cb9f4e5d.exe	28
PID 1492 wrote to memory of 296	1492	d64c5845a7fee27ab6942e582101c6a7c02e8df5341eaeaf6e71b7a4cb9f4e5d.exe	28
PID 1492 wrote to memory of 296	1492	d64c5845a7fee27ab6942e582101c6a7c02e8df5341eaeaf6e71b7a4cb9f4e5d.exe	28
PID 1492 wrote to memory of 296	1492	d64c5845a7fee27ab6942e582101c6a7c02e8df5341eaeaf6e71b7a4cb9f4e5d.exe	28
PID 1492 wrote to memory of 296	1492	d64c5845a7fee27ab6942e582101c6a7c02e8df5341eaeaf6e71b7a4cb9f4e5d.exe	28
PID 1492 wrote to memory of 296	1492	d64c5845a7fee27ab6942e582101c6a7c02e8df5341eaeaf6e71b7a4cb9f4e5d.exe	28
PID 296 wrote to memory of 1136	296	d64c5845a7fee27ab6942e582101c6a7c02e8df5341eaeaf6e71b7a4cb9f4e5d.exe	29
PID 296 wrote to memory of 1136	296	d64c5845a7fee27ab6942e582101c6a7c02e8df5341eaeaf6e71b7a4cb9f4e5d.exe	29
PID 296 wrote to memory of 1136	296	d64c5845a7fee27ab6942e582101c6a7c02e8df5341eaeaf6e71b7a4cb9f4e5d.exe	29
PID 296 wrote to memory of 1136	296	d64c5845a7fee27ab6942e582101c6a7c02e8df5341eaeaf6e71b7a4cb9f4e5d.exe	29
PID 1136 wrote to memory of 560	1136	msdcsc.exe	30
PID 1136 wrote to memory of 560	1136	msdcsc.exe	30
PID 1136 wrote to memory of 560	1136	msdcsc.exe	30
PID 1136 wrote to memory of 560	1136	msdcsc.exe	30
PID 1136 wrote to memory of 1568	1136	msdcsc.exe	31
PID 1136 wrote to memory of 1568	1136	msdcsc.exe	31
PID 1136 wrote to memory of 1568	1136	msdcsc.exe	31
PID 1136 wrote to memory of 1568	1136	msdcsc.exe	31
PID 1136 wrote to memory of 1568	1136	msdcsc.exe	31
PID 1136 wrote to memory of 1568	1136	msdcsc.exe	31
PID 1136 wrote to memory of 1568	1136	msdcsc.exe	31
PID 1136 wrote to memory of 1568	1136	msdcsc.exe	31

C:\Users\Admin\AppData\Local\Temp\d64c5845a7fee27ab6942e582101c6a7c02e8df5341eaeaf6e71b7a4cb9f4e5d.exe
"C:\Users\Admin\AppData\Local\Temp\d64c5845a7fee27ab6942e582101c6a7c02e8df5341eaeaf6e71b7a4cb9f4e5d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Users\Admin\AppData\Local\Temp\ISR 0.4.exe
  "C:\Users\Admin\AppData\Local\Temp\ISR 0.4.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1684
- C:\Users\Admin\AppData\Local\Temp\d64c5845a7fee27ab6942e582101c6a7c02e8df5341eaeaf6e71b7a4cb9f4e5d.exe
  "C:\Users\Admin\AppData\Local\Temp\d64c5845a7fee27ab6942e582101c6a7c02e8df5341eaeaf6e71b7a4cb9f4e5d.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:296
- - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
    "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1136
  - - C:\Users\Admin\AppData\Local\Temp\ISR 0.4.exe
      "C:\Users\Admin\AppData\Local\Temp\ISR 0.4.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:560
  - - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
      "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ISR 0.4.exe

Filesize
736KB

MD5
929d26941c8ef2a5cdd46df11d9c178f

SHA1
58e24462fcb894599010d32187b72416cd939590

SHA256
cecd0ff74e6bde2773bbea2a2f00de02799d45c050a4eecba9e53afa7c1cb625

SHA512
21f2cf0b8560dbde07de6460f85725f589e5d560650bb892f38cca589534618c7567b9935a07f0f4212720f0bc729e5b2e87ed7895c53293f743b1f5a5bd2327

Download Submit
C:\Users\Admin\AppData\Local\Temp\ISR 0.4.exe

Filesize
736KB

MD5
929d26941c8ef2a5cdd46df11d9c178f

SHA1
58e24462fcb894599010d32187b72416cd939590

SHA256
cecd0ff74e6bde2773bbea2a2f00de02799d45c050a4eecba9e53afa7c1cb625

SHA512
21f2cf0b8560dbde07de6460f85725f589e5d560650bb892f38cca589534618c7567b9935a07f0f4212720f0bc729e5b2e87ed7895c53293f743b1f5a5bd2327

Download Submit
C:\Users\Admin\AppData\Local\Temp\ISR 0.4.exe

Filesize
736KB

MD5
929d26941c8ef2a5cdd46df11d9c178f

SHA1
58e24462fcb894599010d32187b72416cd939590

SHA256
cecd0ff74e6bde2773bbea2a2f00de02799d45c050a4eecba9e53afa7c1cb625

SHA512
21f2cf0b8560dbde07de6460f85725f589e5d560650bb892f38cca589534618c7567b9935a07f0f4212720f0bc729e5b2e87ed7895c53293f743b1f5a5bd2327

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
1.1MB

MD5
5215daaf249f78c9b132f1563bc4248e

SHA1
a5e64d9f47c56f8aa9ad5ad5bf8f52ab66da9ec5

SHA256
d64c5845a7fee27ab6942e582101c6a7c02e8df5341eaeaf6e71b7a4cb9f4e5d

SHA512
9da26d64021173bdaf4460d6f926e8af4a9af99f0ed9721e5df90fc7b20b687bf200b58b9faa2f0d4e5cff58e847abd16714d22120a29f82c760971c096b5f2e

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
1.1MB

MD5
5215daaf249f78c9b132f1563bc4248e

SHA1
a5e64d9f47c56f8aa9ad5ad5bf8f52ab66da9ec5

SHA256
d64c5845a7fee27ab6942e582101c6a7c02e8df5341eaeaf6e71b7a4cb9f4e5d

SHA512
9da26d64021173bdaf4460d6f926e8af4a9af99f0ed9721e5df90fc7b20b687bf200b58b9faa2f0d4e5cff58e847abd16714d22120a29f82c760971c096b5f2e

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
1.1MB

MD5
5215daaf249f78c9b132f1563bc4248e

SHA1
a5e64d9f47c56f8aa9ad5ad5bf8f52ab66da9ec5

SHA256
d64c5845a7fee27ab6942e582101c6a7c02e8df5341eaeaf6e71b7a4cb9f4e5d

SHA512
9da26d64021173bdaf4460d6f926e8af4a9af99f0ed9721e5df90fc7b20b687bf200b58b9faa2f0d4e5cff58e847abd16714d22120a29f82c760971c096b5f2e

Download Submit
\Users\Admin\AppData\Local\Temp\ISR 0.4.exe

Filesize
736KB

MD5
929d26941c8ef2a5cdd46df11d9c178f

SHA1
58e24462fcb894599010d32187b72416cd939590

SHA256
cecd0ff74e6bde2773bbea2a2f00de02799d45c050a4eecba9e53afa7c1cb625

SHA512
21f2cf0b8560dbde07de6460f85725f589e5d560650bb892f38cca589534618c7567b9935a07f0f4212720f0bc729e5b2e87ed7895c53293f743b1f5a5bd2327

Download Submit
\Users\Admin\AppData\Local\Temp\ISR 0.4.exe

Filesize
736KB

MD5
929d26941c8ef2a5cdd46df11d9c178f

SHA1
58e24462fcb894599010d32187b72416cd939590

SHA256
cecd0ff74e6bde2773bbea2a2f00de02799d45c050a4eecba9e53afa7c1cb625

SHA512
21f2cf0b8560dbde07de6460f85725f589e5d560650bb892f38cca589534618c7567b9935a07f0f4212720f0bc729e5b2e87ed7895c53293f743b1f5a5bd2327

Download Submit
\Users\Admin\AppData\Local\Temp\ISR 0.4.exe

Filesize
736KB

MD5
929d26941c8ef2a5cdd46df11d9c178f

SHA1
58e24462fcb894599010d32187b72416cd939590

SHA256
cecd0ff74e6bde2773bbea2a2f00de02799d45c050a4eecba9e53afa7c1cb625

SHA512
21f2cf0b8560dbde07de6460f85725f589e5d560650bb892f38cca589534618c7567b9935a07f0f4212720f0bc729e5b2e87ed7895c53293f743b1f5a5bd2327

Download Submit
\Users\Admin\AppData\Local\Temp\ISR 0.4.exe

Filesize
736KB

MD5
929d26941c8ef2a5cdd46df11d9c178f

SHA1
58e24462fcb894599010d32187b72416cd939590

SHA256
cecd0ff74e6bde2773bbea2a2f00de02799d45c050a4eecba9e53afa7c1cb625

SHA512
21f2cf0b8560dbde07de6460f85725f589e5d560650bb892f38cca589534618c7567b9935a07f0f4212720f0bc729e5b2e87ed7895c53293f743b1f5a5bd2327

Download Submit
\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
1.1MB

MD5
5215daaf249f78c9b132f1563bc4248e

SHA1
a5e64d9f47c56f8aa9ad5ad5bf8f52ab66da9ec5

SHA256
d64c5845a7fee27ab6942e582101c6a7c02e8df5341eaeaf6e71b7a4cb9f4e5d

SHA512
9da26d64021173bdaf4460d6f926e8af4a9af99f0ed9721e5df90fc7b20b687bf200b58b9faa2f0d4e5cff58e847abd16714d22120a29f82c760971c096b5f2e

Download Submit
\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
1.1MB

MD5
5215daaf249f78c9b132f1563bc4248e

SHA1
a5e64d9f47c56f8aa9ad5ad5bf8f52ab66da9ec5

SHA256
d64c5845a7fee27ab6942e582101c6a7c02e8df5341eaeaf6e71b7a4cb9f4e5d

SHA512
9da26d64021173bdaf4460d6f926e8af4a9af99f0ed9721e5df90fc7b20b687bf200b58b9faa2f0d4e5cff58e847abd16714d22120a29f82c760971c096b5f2e

Download Submit
memory/296-78-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/296-73-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/296-64-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/296-72-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/296-65-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/296-70-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/296-68-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/296-67-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1492-56-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download
memory/1568-100-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1568-101-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1568-102-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1568-103-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1568-104-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1568-105-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads