darkcomet | e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e

General

Target

e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe
Size

1.0MB
MD5

daf490df6a5fcb1ac47bdc6d5f235f70
SHA1

d8449c14407703a7194089f567173e6827fd3f69
SHA256

e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e
SHA512

18e100806fe229acee93e200e6c10fb6fb07ec9b8323a9e7753fca59eaf4e5f97b017a28c956339b98b3fe0ce25e10a2f962d5cdcbc05231e45983f184bb6fe5
SSDEEP

24576:QqtjXbJKN77OhLQ8Qxc8PrzeXb9qa39IS3wx9G9UG+v:XxX4N7YbpErzObH39Iau9G9UR

Score

10^/10

darkcomet yodc persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

YoDc

C2

robttt.zapto.org:912

Mutex

DC_MUTEX-BP5TXBD

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
3W7x0fxttgsw
install
true
offline_keylogger
true
persistence
true
reg_key
rundll32

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe"	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe

Executes dropped EXE 3 IoCs

Processes:

msdcsc.exemsdcsc.exemsdcsc.exe

pid process

1188 msdcsc.exe
1180 msdcsc.exe
1108 msdcsc.exe

pid	process
1188	msdcsc.exe
1180	msdcsc.exe
1108	msdcsc.exe

Loads dropped DLL 4 IoCs

Processes:

e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exemsdcsc.exemsdcsc.exe

pid	process
1864	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe
1864	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe
1188	msdcsc.exe
1180	msdcsc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exemsdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\rundll32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe"	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\rundll32 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe"	msdcsc.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exee6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exemsdcsc.exemsdcsc.exe

description	pid	process	target process
PID 1444 set thread context of 1948	1444	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe
PID 1948 set thread context of 1864	1948	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe
PID 1188 set thread context of 1180	1188	msdcsc.exe	msdcsc.exe
PID 1180 set thread context of 1108	1180	msdcsc.exe	msdcsc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exemsdcsc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1864	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe
Token: SeSecurityPrivilege	1864	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe
Token: SeTakeOwnershipPrivilege	1864	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe
Token: SeLoadDriverPrivilege	1864	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe
Token: SeSystemProfilePrivilege	1864	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe
Token: SeSystemtimePrivilege	1864	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe
Token: SeProfSingleProcessPrivilege	1864	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe
Token: SeIncBasePriorityPrivilege	1864	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe
Token: SeCreatePagefilePrivilege	1864	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe
Token: SeBackupPrivilege	1864	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe
Token: SeRestorePrivilege	1864	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe
Token: SeShutdownPrivilege	1864	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe
Token: SeDebugPrivilege	1864	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe
Token: SeSystemEnvironmentPrivilege	1864	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe
Token: SeChangeNotifyPrivilege	1864	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe
Token: SeRemoteShutdownPrivilege	1864	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe
Token: SeUndockPrivilege	1864	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe
Token: SeManageVolumePrivilege	1864	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe
Token: SeImpersonatePrivilege	1864	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe
Token: SeCreateGlobalPrivilege	1864	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe
Token: 33	1864	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe
Token: 34	1864	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe
Token: 35	1864	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe
Token: SeIncreaseQuotaPrivilege	1108	msdcsc.exe
Token: SeSecurityPrivilege	1108	msdcsc.exe
Token: SeTakeOwnershipPrivilege	1108	msdcsc.exe
Token: SeLoadDriverPrivilege	1108	msdcsc.exe
Token: SeSystemProfilePrivilege	1108	msdcsc.exe
Token: SeSystemtimePrivilege	1108	msdcsc.exe
Token: SeProfSingleProcessPrivilege	1108	msdcsc.exe
Token: SeIncBasePriorityPrivilege	1108	msdcsc.exe
Token: SeCreatePagefilePrivilege	1108	msdcsc.exe
Token: SeBackupPrivilege	1108	msdcsc.exe
Token: SeRestorePrivilege	1108	msdcsc.exe
Token: SeShutdownPrivilege	1108	msdcsc.exe
Token: SeDebugPrivilege	1108	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	1108	msdcsc.exe
Token: SeChangeNotifyPrivilege	1108	msdcsc.exe
Token: SeRemoteShutdownPrivilege	1108	msdcsc.exe
Token: SeUndockPrivilege	1108	msdcsc.exe
Token: SeManageVolumePrivilege	1108	msdcsc.exe
Token: SeImpersonatePrivilege	1108	msdcsc.exe
Token: SeCreateGlobalPrivilege	1108	msdcsc.exe
Token: 33	1108	msdcsc.exe
Token: 34	1108	msdcsc.exe
Token: 35	1108	msdcsc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

msdcsc.exe

pid process

1108 msdcsc.exe

pid	process
1108	msdcsc.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exee6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exee6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exemsdcsc.exemsdcsc.exe

description	pid	process	target process
PID 1444 wrote to memory of 1948	1444	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe
PID 1444 wrote to memory of 1948	1444	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe
PID 1444 wrote to memory of 1948	1444	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe
PID 1444 wrote to memory of 1948	1444	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe
PID 1444 wrote to memory of 1948	1444	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe
PID 1444 wrote to memory of 1948	1444	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe
PID 1444 wrote to memory of 1948	1444	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe
PID 1444 wrote to memory of 1948	1444	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe
PID 1444 wrote to memory of 1948	1444	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe
PID 1444 wrote to memory of 1948	1444	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe
PID 1444 wrote to memory of 1948	1444	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe
PID 1948 wrote to memory of 1864	1948	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe
PID 1948 wrote to memory of 1864	1948	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe
PID 1948 wrote to memory of 1864	1948	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe
PID 1948 wrote to memory of 1864	1948	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe
PID 1948 wrote to memory of 1864	1948	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe
PID 1948 wrote to memory of 1864	1948	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe
PID 1948 wrote to memory of 1864	1948	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe
PID 1948 wrote to memory of 1864	1948	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe
PID 1948 wrote to memory of 1864	1948	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe
PID 1948 wrote to memory of 1864	1948	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe
PID 1948 wrote to memory of 1864	1948	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe
PID 1948 wrote to memory of 1864	1948	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe
PID 1948 wrote to memory of 1864	1948	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe
PID 1864 wrote to memory of 1188	1864	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe	msdcsc.exe
PID 1864 wrote to memory of 1188	1864	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe	msdcsc.exe
PID 1864 wrote to memory of 1188	1864	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe	msdcsc.exe
PID 1864 wrote to memory of 1188	1864	e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe	msdcsc.exe
PID 1188 wrote to memory of 1180	1188	msdcsc.exe	msdcsc.exe
PID 1188 wrote to memory of 1180	1188	msdcsc.exe	msdcsc.exe
PID 1188 wrote to memory of 1180	1188	msdcsc.exe	msdcsc.exe
PID 1188 wrote to memory of 1180	1188	msdcsc.exe	msdcsc.exe
PID 1188 wrote to memory of 1180	1188	msdcsc.exe	msdcsc.exe
PID 1188 wrote to memory of 1180	1188	msdcsc.exe	msdcsc.exe
PID 1188 wrote to memory of 1180	1188	msdcsc.exe	msdcsc.exe
PID 1188 wrote to memory of 1180	1188	msdcsc.exe	msdcsc.exe
PID 1188 wrote to memory of 1180	1188	msdcsc.exe	msdcsc.exe
PID 1188 wrote to memory of 1180	1188	msdcsc.exe	msdcsc.exe
PID 1188 wrote to memory of 1180	1188	msdcsc.exe	msdcsc.exe
PID 1180 wrote to memory of 1108	1180	msdcsc.exe	msdcsc.exe
PID 1180 wrote to memory of 1108	1180	msdcsc.exe	msdcsc.exe
PID 1180 wrote to memory of 1108	1180	msdcsc.exe	msdcsc.exe
PID 1180 wrote to memory of 1108	1180	msdcsc.exe	msdcsc.exe
PID 1180 wrote to memory of 1108	1180	msdcsc.exe	msdcsc.exe
PID 1180 wrote to memory of 1108	1180	msdcsc.exe	msdcsc.exe
PID 1180 wrote to memory of 1108	1180	msdcsc.exe	msdcsc.exe
PID 1180 wrote to memory of 1108	1180	msdcsc.exe	msdcsc.exe
PID 1180 wrote to memory of 1108	1180	msdcsc.exe	msdcsc.exe
PID 1180 wrote to memory of 1108	1180	msdcsc.exe	msdcsc.exe
PID 1180 wrote to memory of 1108	1180	msdcsc.exe	msdcsc.exe
PID 1180 wrote to memory of 1108	1180	msdcsc.exe	msdcsc.exe
PID 1180 wrote to memory of 1108	1180	msdcsc.exe	msdcsc.exe

C:\Users\Admin\AppData\Local\Temp\e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe
"C:\Users\Admin\AppData\Local\Temp\e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1444

C:\Users\Admin\AppData\Local\Temp\e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe
"C:\Users\Admin\AppData\Local\Temp\e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1948

C:\Users\Admin\AppData\Local\Temp\e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe
"C:\Users\Admin\AppData\Local\Temp\e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e.exe"
3⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1864

C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1188

C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1180

C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"
6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1108

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
Filesize
1.0MB

MD5
daf490df6a5fcb1ac47bdc6d5f235f70

SHA1
d8449c14407703a7194089f567173e6827fd3f69

SHA256
e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e

SHA512
18e100806fe229acee93e200e6c10fb6fb07ec9b8323a9e7753fca59eaf4e5f97b017a28c956339b98b3fe0ce25e10a2f962d5cdcbc05231e45983f184bb6fe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
Filesize
1.0MB

MD5
daf490df6a5fcb1ac47bdc6d5f235f70

SHA1
d8449c14407703a7194089f567173e6827fd3f69

SHA256
e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e

SHA512
18e100806fe229acee93e200e6c10fb6fb07ec9b8323a9e7753fca59eaf4e5f97b017a28c956339b98b3fe0ce25e10a2f962d5cdcbc05231e45983f184bb6fe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
Filesize
1.0MB

MD5
daf490df6a5fcb1ac47bdc6d5f235f70

SHA1
d8449c14407703a7194089f567173e6827fd3f69

SHA256
e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e

SHA512
18e100806fe229acee93e200e6c10fb6fb07ec9b8323a9e7753fca59eaf4e5f97b017a28c956339b98b3fe0ce25e10a2f962d5cdcbc05231e45983f184bb6fe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
Filesize
1.0MB

MD5
daf490df6a5fcb1ac47bdc6d5f235f70

SHA1
d8449c14407703a7194089f567173e6827fd3f69

SHA256
e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e

SHA512
18e100806fe229acee93e200e6c10fb6fb07ec9b8323a9e7753fca59eaf4e5f97b017a28c956339b98b3fe0ce25e10a2f962d5cdcbc05231e45983f184bb6fe5

Download Submit
\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
Filesize
1.0MB

MD5
daf490df6a5fcb1ac47bdc6d5f235f70

SHA1
d8449c14407703a7194089f567173e6827fd3f69

SHA256
e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e

SHA512
18e100806fe229acee93e200e6c10fb6fb07ec9b8323a9e7753fca59eaf4e5f97b017a28c956339b98b3fe0ce25e10a2f962d5cdcbc05231e45983f184bb6fe5

Download Submit
\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
Filesize
1.0MB

MD5
daf490df6a5fcb1ac47bdc6d5f235f70

SHA1
d8449c14407703a7194089f567173e6827fd3f69

SHA256
e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e

SHA512
18e100806fe229acee93e200e6c10fb6fb07ec9b8323a9e7753fca59eaf4e5f97b017a28c956339b98b3fe0ce25e10a2f962d5cdcbc05231e45983f184bb6fe5

Download Submit
\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
Filesize
1.0MB

MD5
daf490df6a5fcb1ac47bdc6d5f235f70

SHA1
d8449c14407703a7194089f567173e6827fd3f69

SHA256
e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e

SHA512
18e100806fe229acee93e200e6c10fb6fb07ec9b8323a9e7753fca59eaf4e5f97b017a28c956339b98b3fe0ce25e10a2f962d5cdcbc05231e45983f184bb6fe5

Download Submit
\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
Filesize
1.0MB

MD5
daf490df6a5fcb1ac47bdc6d5f235f70

SHA1
d8449c14407703a7194089f567173e6827fd3f69

SHA256
e6d7ca18087a13b366c3a044bf54d642a0a46ff77dd19114db8bf7990c0bd24e

SHA512
18e100806fe229acee93e200e6c10fb6fb07ec9b8323a9e7753fca59eaf4e5f97b017a28c956339b98b3fe0ce25e10a2f962d5cdcbc05231e45983f184bb6fe5

Download Submit
memory/1108-124-0x000000000048F888-mapping.dmp

Download
memory/1108-130-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1108-131-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1180-103-0x0000000000401110-mapping.dmp

Download
memory/1180-127-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/1188-89-0x0000000000000000-mapping.dmp

Download
memory/1864-80-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1864-70-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1864-78-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1864-77-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1864-92-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1864-83-0x000000000048F888-mapping.dmp

Download
memory/1864-82-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1864-84-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1864-86-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1864-74-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1864-72-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1864-68-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1864-67-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1948-76-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/1948-54-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/1948-65-0x0000000075D71000-0x0000000075D73000-memory.dmp

Filesize
8KB

Download
memory/1948-66-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/1948-63-0x0000000000401110-mapping.dmp

Download
memory/1948-62-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/1948-60-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/1948-55-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/1948-59-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/1948-58-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/1948-57-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads