darkcomet | c9f7b7f61b30c14d57b7fb3816e04c823025e0eaff8677119c545fe0d774eb84

General

Target

c9f7b7f61b30c14d57b7fb3816e04c823025e0eaff8677119c545fe0d774eb84.exe
Size

688KB
MD5

b309311a634552671dae78f60235daac
SHA1

9eda29d8a7b72791c90e1b1be212c27ad5bc6508
SHA256

c9f7b7f61b30c14d57b7fb3816e04c823025e0eaff8677119c545fe0d774eb84
SHA512

6b987b534b171f8eb589668fab93e612f2dfd1c2ac8941272936b9245daeaf38084fa4aab497e05808df6316471c518172fc594e84fa1831bec588715d9db9b1
SSDEEP

12288:96dfozt5VxU9YjvLEuhz32GAnq5kVmmUgORv2r5nVjkmGenwgeiVkurTjcqOg:6foJDdjvLgns6mmUgORerxiTenweSur9

Score

10^/10

darkcomet guest16_min persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16_min

C2

127.0.0.1:1604

Mutex

DCMIN_MUTEX-ELPZPHY

Attributes

InstallPath
DCSCMIN\IMDCSC.exe
gencode
y0VKNuhAihWx
install
true
offline_keylogger
true
persistence
false
reg_key
DarkComet RAT

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

vbc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe"	vbc.exe

Executes dropped EXE 1 IoCs

Processes:

IMDCSC.exe

pid process

1728 IMDCSC.exe
Loads dropped DLL 1 IoCs

Processes:

vbc.exe

pid process

444 vbc.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
1728	IMDCSC.exe

pid	process
444	vbc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

vbc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\DarkComet RAT = "C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe"	vbc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

c9f7b7f61b30c14d57b7fb3816e04c823025e0eaff8677119c545fe0d774eb84.exe

description pid process target process

PID 1808 set thread context of 444 1808 c9f7b7f61b30c14d57b7fb3816e04c823025e0eaff8677119c545fe0d774eb84.exe vbc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 1808 set thread context of 444	1808	c9f7b7f61b30c14d57b7fb3816e04c823025e0eaff8677119c545fe0d774eb84.exe	vbc.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6FD16ED1-752A-11ED-9FA0-5263E908E3CD} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "377071058"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbec07815684004d899a318f710de6af00000000020000000000106600000001000020000000d0e60320255178170922d03e3da974068a0ce296671a4ee61ad11251f76a4d9c000000000e8000000002000020000000f45a93f8abbc39fedb991efd489ab03c68c7a6d7c4252c9cdc94a524067261fe20000000e8600cee639208bd0aa183c9f4b001d6efbfb165bf2106179fba665b3290b7a640000000c4e34a9ec19a200c8c66f8b762abe00be7ecfa99b97e05a55a13bc27ee69d572710c67c1ae4b6f273a9680e7642a252fd90414cff2e09fe91fd5682d5559e4e6	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 503d8b673709d901	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbec07815684004d899a318f710de6af00000000020000000000106600000001000020000000a1955699a366013e8af5a5790c723e84d742249f004c3c2499d3744c2e0cfdcc000000000e800000000200002000000080dc322d2cada8b0e3b7bce913a9dcf7408197bbdd2c7c44dc3f65a950e7bf0c90000000701210d6cfcef4ec8ed553a68a93d5cba9c11e5524201465c7eccbed10d1ec455d4600b6f831df8fa31ed5cc849e44f2af8fbac2db36a01db27feb3d3d473ddba22e0cb771e6432ce89c4951e40303c2cf35cfed22d0a91d414993e3bc03fad72f1fe0d5738846bb72524d08668a844831dfef9dfceb63703221e36f554e5eeb9bfbe9aaea2ea4e93dcce58ee0679938400000003d600c90d703be603c1ccdd5e52630572e921dced248f29f3457f8f3128e3bc055a785b3c5c750fa343f468256d3cfcf6eb7b4fe87f828a73053f7ba05d78bbd	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

c9f7b7f61b30c14d57b7fb3816e04c823025e0eaff8677119c545fe0d774eb84.exe

pid	process
1808	c9f7b7f61b30c14d57b7fb3816e04c823025e0eaff8677119c545fe0d774eb84.exe
1808	c9f7b7f61b30c14d57b7fb3816e04c823025e0eaff8677119c545fe0d774eb84.exe
1808	c9f7b7f61b30c14d57b7fb3816e04c823025e0eaff8677119c545fe0d774eb84.exe
1808	c9f7b7f61b30c14d57b7fb3816e04c823025e0eaff8677119c545fe0d774eb84.exe
1808	c9f7b7f61b30c14d57b7fb3816e04c823025e0eaff8677119c545fe0d774eb84.exe
1808	c9f7b7f61b30c14d57b7fb3816e04c823025e0eaff8677119c545fe0d774eb84.exe
1808	c9f7b7f61b30c14d57b7fb3816e04c823025e0eaff8677119c545fe0d774eb84.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

vbc.exec9f7b7f61b30c14d57b7fb3816e04c823025e0eaff8677119c545fe0d774eb84.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	444	vbc.exe
Token: SeSecurityPrivilege	444	vbc.exe
Token: SeTakeOwnershipPrivilege	444	vbc.exe
Token: SeLoadDriverPrivilege	444	vbc.exe
Token: SeSystemProfilePrivilege	444	vbc.exe
Token: SeSystemtimePrivilege	444	vbc.exe
Token: SeProfSingleProcessPrivilege	444	vbc.exe
Token: SeIncBasePriorityPrivilege	444	vbc.exe
Token: SeCreatePagefilePrivilege	444	vbc.exe
Token: SeBackupPrivilege	444	vbc.exe
Token: SeRestorePrivilege	444	vbc.exe
Token: SeShutdownPrivilege	444	vbc.exe
Token: SeDebugPrivilege	444	vbc.exe
Token: SeSystemEnvironmentPrivilege	444	vbc.exe
Token: SeChangeNotifyPrivilege	444	vbc.exe
Token: SeRemoteShutdownPrivilege	444	vbc.exe
Token: SeUndockPrivilege	444	vbc.exe
Token: SeManageVolumePrivilege	444	vbc.exe
Token: SeImpersonatePrivilege	444	vbc.exe
Token: SeCreateGlobalPrivilege	444	vbc.exe
Token: 33	444	vbc.exe
Token: 34	444	vbc.exe
Token: 35	444	vbc.exe
Token: SeDebugPrivilege	1808	c9f7b7f61b30c14d57b7fb3816e04c823025e0eaff8677119c545fe0d774eb84.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

892 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

892 iexplore.exe
892 iexplore.exe
548 IEXPLORE.EXE
548 IEXPLORE.EXE
548 IEXPLORE.EXE
548 IEXPLORE.EXE

pid	process
892	iexplore.exe

pid	process
892	iexplore.exe
892	iexplore.exe
548	IEXPLORE.EXE
548	IEXPLORE.EXE
548	IEXPLORE.EXE
548	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

c9f7b7f61b30c14d57b7fb3816e04c823025e0eaff8677119c545fe0d774eb84.exevbc.exeiexplore.exe

description	pid	process	target process
PID 1808 wrote to memory of 444	1808	c9f7b7f61b30c14d57b7fb3816e04c823025e0eaff8677119c545fe0d774eb84.exe	vbc.exe
PID 1808 wrote to memory of 444	1808	c9f7b7f61b30c14d57b7fb3816e04c823025e0eaff8677119c545fe0d774eb84.exe	vbc.exe
PID 1808 wrote to memory of 444	1808	c9f7b7f61b30c14d57b7fb3816e04c823025e0eaff8677119c545fe0d774eb84.exe	vbc.exe
PID 1808 wrote to memory of 444	1808	c9f7b7f61b30c14d57b7fb3816e04c823025e0eaff8677119c545fe0d774eb84.exe	vbc.exe
PID 1808 wrote to memory of 444	1808	c9f7b7f61b30c14d57b7fb3816e04c823025e0eaff8677119c545fe0d774eb84.exe	vbc.exe
PID 1808 wrote to memory of 444	1808	c9f7b7f61b30c14d57b7fb3816e04c823025e0eaff8677119c545fe0d774eb84.exe	vbc.exe
PID 1808 wrote to memory of 444	1808	c9f7b7f61b30c14d57b7fb3816e04c823025e0eaff8677119c545fe0d774eb84.exe	vbc.exe
PID 1808 wrote to memory of 444	1808	c9f7b7f61b30c14d57b7fb3816e04c823025e0eaff8677119c545fe0d774eb84.exe	vbc.exe
PID 1808 wrote to memory of 444	1808	c9f7b7f61b30c14d57b7fb3816e04c823025e0eaff8677119c545fe0d774eb84.exe	vbc.exe
PID 1808 wrote to memory of 444	1808	c9f7b7f61b30c14d57b7fb3816e04c823025e0eaff8677119c545fe0d774eb84.exe	vbc.exe
PID 1808 wrote to memory of 444	1808	c9f7b7f61b30c14d57b7fb3816e04c823025e0eaff8677119c545fe0d774eb84.exe	vbc.exe
PID 1808 wrote to memory of 444	1808	c9f7b7f61b30c14d57b7fb3816e04c823025e0eaff8677119c545fe0d774eb84.exe	vbc.exe
PID 1808 wrote to memory of 444	1808	c9f7b7f61b30c14d57b7fb3816e04c823025e0eaff8677119c545fe0d774eb84.exe	vbc.exe
PID 1808 wrote to memory of 892	1808	c9f7b7f61b30c14d57b7fb3816e04c823025e0eaff8677119c545fe0d774eb84.exe	iexplore.exe
PID 1808 wrote to memory of 892	1808	c9f7b7f61b30c14d57b7fb3816e04c823025e0eaff8677119c545fe0d774eb84.exe	iexplore.exe
PID 1808 wrote to memory of 892	1808	c9f7b7f61b30c14d57b7fb3816e04c823025e0eaff8677119c545fe0d774eb84.exe	iexplore.exe
PID 1808 wrote to memory of 892	1808	c9f7b7f61b30c14d57b7fb3816e04c823025e0eaff8677119c545fe0d774eb84.exe	iexplore.exe
PID 444 wrote to memory of 1728	444	vbc.exe	IMDCSC.exe
PID 444 wrote to memory of 1728	444	vbc.exe	IMDCSC.exe
PID 444 wrote to memory of 1728	444	vbc.exe	IMDCSC.exe
PID 444 wrote to memory of 1728	444	vbc.exe	IMDCSC.exe
PID 892 wrote to memory of 548	892	iexplore.exe	IEXPLORE.EXE
PID 892 wrote to memory of 548	892	iexplore.exe	IEXPLORE.EXE
PID 892 wrote to memory of 548	892	iexplore.exe	IEXPLORE.EXE
PID 892 wrote to memory of 548	892	iexplore.exe	IEXPLORE.EXE

C:\Users\Admin\AppData\Local\Temp\c9f7b7f61b30c14d57b7fb3816e04c823025e0eaff8677119c545fe0d774eb84.exe
"C:\Users\Admin\AppData\Local\Temp\c9f7b7f61b30c14d57b7fb3816e04c823025e0eaff8677119c545fe0d774eb84.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1808

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:444

C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
"C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"
3⤵
- Executes dropped EXE
PID:1728

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.google.com/
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:892

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:892 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:548

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Winlogon Helper DLL

1

T1004

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Scripting

1

T1064

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
c4c005420c8e406e73cb94f5b04eb17e

SHA1
3223ba98250bb69b74e4853efb87b41d4db29b22

SHA256
29fb18d7ea51024e1a2b37d6a65c7dd7597e0fbbe227497da069b29ee7aac5c0

SHA512
ce3736906caea1c50cefeba9cc49a9d43e945fe38088b3057b30fe952af7ce62aa769a4937e8b6915a14c801ddaad3e52590e0ca18be98f95d4b94dd0c68e94f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\V590EIB4.txt
Filesize
608B

MD5
4958f58b7619b3500116f34b04d1ffc1

SHA1
4c68bb6e6aa730645cd0467c36fd23e83fbdb307

SHA256
39414a1d01ed5068a3b94b54938b3c7101dca720514ee44969138a686c6fc30b

SHA512
3fbd5472c9e50b2d20fcfeda183711292384db03432b0cb8eb9e8ea81b56023420d5798677baeb1c4f29c9c3008a8f8c91733ef8b23bd96e436b9a88a8d2da03

Download Submit
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
\Users\Admin\Documents\DCSCMIN\IMDCSC.exe
Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
memory/444-61-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/444-79-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/444-65-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/444-66-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/444-68-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/444-70-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/444-71-0x000000000048F888-mapping.dmp

Download
memory/444-72-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/444-74-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/444-56-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/444-57-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/444-59-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/444-63-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1728-77-0x0000000000000000-mapping.dmp

Download
memory/1808-54-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/1808-75-0x0000000074CB0000-0x000000007525B000-memory.dmp

Filesize
5.7MB

Download
memory/1808-55-0x0000000074CB0000-0x000000007525B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads