darkcomet | a5c263a5bf6522fcaaab2cf772e5d257644734d78a7149ae511fe338da350325

Analysis

max time kernel
124s
max time network
139s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26-12-2023 10:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68288c29d8546aadc301eda4436def32.exe
Size

2.4MB
MD5

68288c29d8546aadc301eda4436def32
SHA1

b2f25aa72549ab250213e20850aa3e5beab1928f
SHA256

a5c263a5bf6522fcaaab2cf772e5d257644734d78a7149ae511fe338da350325
SHA512

d6b17aea77d4df88af97cebc0ecc40ec5bdb4e79f3ed44378c47438216eb03082544375327a93551c92ebe9e8003814781194983d88c12c525c95104bfa0b369
SSDEEP

49152:gX5TvrVpRCDhBeEJl+KVR/PKaF42Nt3XET4LTE7j5CS:gXxvrZeeEJRHa24sE71p

Score

10^/10

darkcomet discovery evasion persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	HKCMB.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	HKCMB.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
1864	attrib.exe
1032	attrib.exe

Executes dropped EXE 5 IoCs

pid	Process
2884	Transaction mangement.exe
2596	HKCMB.exe
3012	INSTALL.EXE
1016	FQO.exe
2088	msdcsc.exe

Loads dropped DLL 19 IoCs

pid	Process
3064	68288c29d8546aadc301eda4436def32.exe
3064	68288c29d8546aadc301eda4436def32.exe
2884	Transaction mangement.exe
2884	Transaction mangement.exe
2884	Transaction mangement.exe
2884	Transaction mangement.exe
2596	HKCMB.exe
2596	HKCMB.exe
2596	HKCMB.exe
3012	INSTALL.EXE
3012	INSTALL.EXE
3012	INSTALL.EXE
1016	FQO.exe
1016	FQO.exe
1016	FQO.exe
2736	AcroRd32.exe
2596	HKCMB.exe
2088	msdcsc.exe
2088	msdcsc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	HKCMB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FQO Start = "C:\\Windows\\SysWOW64\\JHPMIJ\\FQO.exe"	FQO.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	HKCMB.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	HKCMB.exe
File created	C:\Windows\SysWOW64\JHPMIJ\FQO.001	INSTALL.EXE
File created	C:\Windows\SysWOW64\JHPMIJ\FQO.002	INSTALL.EXE
File created	C:\Windows\SysWOW64\JHPMIJ\AKV.exe	INSTALL.EXE
File opened for modification	C:\Windows\SysWOW64\JHPMIJ\	FQO.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	HKCMB.exe
File created	C:\Windows\SysWOW64\JHPMIJ\FQO.004	INSTALL.EXE
File created	C:\Windows\SysWOW64\JHPMIJ\FQO.exe	INSTALL.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2884 set thread context of 2596	2884	Transaction mangement.exe	38

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe	Transaction mangement.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe	Transaction mangement.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2736	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2596	HKCMB.exe
Token: SeSecurityPrivilege	2596	HKCMB.exe
Token: SeTakeOwnershipPrivilege	2596	HKCMB.exe
Token: SeLoadDriverPrivilege	2596	HKCMB.exe
Token: SeSystemProfilePrivilege	2596	HKCMB.exe
Token: SeSystemtimePrivilege	2596	HKCMB.exe
Token: SeProfSingleProcessPrivilege	2596	HKCMB.exe
Token: SeIncBasePriorityPrivilege	2596	HKCMB.exe
Token: SeCreatePagefilePrivilege	2596	HKCMB.exe
Token: SeBackupPrivilege	2596	HKCMB.exe
Token: SeRestorePrivilege	2596	HKCMB.exe
Token: SeShutdownPrivilege	2596	HKCMB.exe
Token: SeDebugPrivilege	2596	HKCMB.exe
Token: SeSystemEnvironmentPrivilege	2596	HKCMB.exe
Token: SeChangeNotifyPrivilege	2596	HKCMB.exe
Token: SeRemoteShutdownPrivilege	2596	HKCMB.exe
Token: SeUndockPrivilege	2596	HKCMB.exe
Token: SeManageVolumePrivilege	2596	HKCMB.exe
Token: SeImpersonatePrivilege	2596	HKCMB.exe
Token: SeCreateGlobalPrivilege	2596	HKCMB.exe
Token: 33	2596	HKCMB.exe
Token: 34	2596	HKCMB.exe
Token: 35	2596	HKCMB.exe
Token: 33	1016	FQO.exe
Token: SeIncBasePriorityPrivilege	1016	FQO.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2736	AcroRd32.exe
2736	AcroRd32.exe
2736	AcroRd32.exe
1016	FQO.exe
1016	FQO.exe
1016	FQO.exe
1016	FQO.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 2884	3064	68288c29d8546aadc301eda4436def32.exe	28
PID 3064 wrote to memory of 2884	3064	68288c29d8546aadc301eda4436def32.exe	28
PID 3064 wrote to memory of 2884	3064	68288c29d8546aadc301eda4436def32.exe	28
PID 3064 wrote to memory of 2884	3064	68288c29d8546aadc301eda4436def32.exe	28
PID 3064 wrote to memory of 2884	3064	68288c29d8546aadc301eda4436def32.exe	28
PID 3064 wrote to memory of 2884	3064	68288c29d8546aadc301eda4436def32.exe	28
PID 3064 wrote to memory of 2884	3064	68288c29d8546aadc301eda4436def32.exe	28
PID 3064 wrote to memory of 2736	3064	68288c29d8546aadc301eda4436def32.exe	27
PID 3064 wrote to memory of 2736	3064	68288c29d8546aadc301eda4436def32.exe	27
PID 3064 wrote to memory of 2736	3064	68288c29d8546aadc301eda4436def32.exe	27
PID 3064 wrote to memory of 2736	3064	68288c29d8546aadc301eda4436def32.exe	27
PID 3064 wrote to memory of 2736	3064	68288c29d8546aadc301eda4436def32.exe	27
PID 3064 wrote to memory of 2736	3064	68288c29d8546aadc301eda4436def32.exe	27
PID 3064 wrote to memory of 2736	3064	68288c29d8546aadc301eda4436def32.exe	27
PID 2884 wrote to memory of 2596	2884	Transaction mangement.exe	38
PID 2884 wrote to memory of 2596	2884	Transaction mangement.exe	38
PID 2884 wrote to memory of 2596	2884	Transaction mangement.exe	38
PID 2884 wrote to memory of 2596	2884	Transaction mangement.exe	38
PID 2884 wrote to memory of 2596	2884	Transaction mangement.exe	38
PID 2884 wrote to memory of 2596	2884	Transaction mangement.exe	38
PID 2884 wrote to memory of 2596	2884	Transaction mangement.exe	38
PID 2884 wrote to memory of 2596	2884	Transaction mangement.exe	38
PID 2884 wrote to memory of 2596	2884	Transaction mangement.exe	38
PID 2884 wrote to memory of 2596	2884	Transaction mangement.exe	38
PID 2884 wrote to memory of 2596	2884	Transaction mangement.exe	38
PID 2884 wrote to memory of 2596	2884	Transaction mangement.exe	38
PID 2884 wrote to memory of 2596	2884	Transaction mangement.exe	38
PID 2884 wrote to memory of 2596	2884	Transaction mangement.exe	38
PID 2884 wrote to memory of 2596	2884	Transaction mangement.exe	38
PID 2884 wrote to memory of 2596	2884	Transaction mangement.exe	38
PID 2596 wrote to memory of 744	2596	HKCMB.exe	37
PID 2596 wrote to memory of 744	2596	HKCMB.exe	37
PID 2596 wrote to memory of 744	2596	HKCMB.exe	37
PID 2596 wrote to memory of 744	2596	HKCMB.exe	37
PID 2596 wrote to memory of 744	2596	HKCMB.exe	37
PID 2596 wrote to memory of 744	2596	HKCMB.exe	37
PID 2596 wrote to memory of 744	2596	HKCMB.exe	37
PID 2596 wrote to memory of 2892	2596	HKCMB.exe	35
PID 2596 wrote to memory of 2892	2596	HKCMB.exe	35
PID 2596 wrote to memory of 2892	2596	HKCMB.exe	35
PID 2596 wrote to memory of 2892	2596	HKCMB.exe	35
PID 2596 wrote to memory of 2892	2596	HKCMB.exe	35
PID 2596 wrote to memory of 2892	2596	HKCMB.exe	35
PID 2596 wrote to memory of 2892	2596	HKCMB.exe	35
PID 2596 wrote to memory of 3012	2596	HKCMB.exe	31
PID 2596 wrote to memory of 3012	2596	HKCMB.exe	31
PID 2596 wrote to memory of 3012	2596	HKCMB.exe	31
PID 2596 wrote to memory of 3012	2596	HKCMB.exe	31
PID 2596 wrote to memory of 3012	2596	HKCMB.exe	31
PID 2596 wrote to memory of 3012	2596	HKCMB.exe	31
PID 2596 wrote to memory of 3012	2596	HKCMB.exe	31
PID 2892 wrote to memory of 1864	2892	cmd.exe	32
PID 2892 wrote to memory of 1864	2892	cmd.exe	32
PID 2892 wrote to memory of 1864	2892	cmd.exe	32
PID 2892 wrote to memory of 1864	2892	cmd.exe	32
PID 2892 wrote to memory of 1864	2892	cmd.exe	32
PID 2892 wrote to memory of 1864	2892	cmd.exe	32
PID 2892 wrote to memory of 1864	2892	cmd.exe	32
PID 744 wrote to memory of 1032	744	cmd.exe	33
PID 744 wrote to memory of 1032	744	cmd.exe	33
PID 744 wrote to memory of 1032	744	cmd.exe	33
PID 744 wrote to memory of 1032	744	cmd.exe	33
PID 744 wrote to memory of 1032	744	cmd.exe	33
PID 744 wrote to memory of 1032	744	cmd.exe	33

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1864	attrib.exe
1032	attrib.exe

C:\Users\Admin\AppData\Local\Temp\68288c29d8546aadc301eda4436def32.exe
"C:\Users\Admin\AppData\Local\Temp\68288c29d8546aadc301eda4436def32.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Transaction_mangement.pdf"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2736
- C:\Users\Admin\AppData\Local\Temp\Transaction mangement.exe
  "C:\Users\Admin\AppData\Local\Temp\Transaction mangement.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe
    3⤵
    - Modifies WinLogon for persistence
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
      "C:\Windows\system32\MSDCSC\msdcsc.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2088

C:\Users\Admin\AppData\Local\Temp\INSTALL.EXE
"C:\Users\Admin\AppData\Local\Temp\INSTALL.EXE"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3012
- C:\Windows\SysWOW64\JHPMIJ\FQO.exe
  "C:\Windows\system32\JHPMIJ\FQO.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1016

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
1⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:1864

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
1⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:1032

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:2892

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Transaction mangement.exe

Filesize
51KB

MD5
fe8394afd79a71929aef92cd69713e44

SHA1
c55589f59fcfb99cee934418d1843e4a93fa71c3

SHA256
704d5dd3f9f1a0c979113f77765f6f2d6b17275cf987ac68ce5aef4df7596dec

SHA512
d8f30f3b1dfd982758037cb7fcaf4afa23f65e8f7d6c885a53c437df5de7c032f3da8019e6762b0b62fc803ee70adce3027fe9407fc7b0e204168ef3ccb3ee21

Download Submit
C:\Users\Admin\AppData\Local\Temp\Transaction mangement.exe

Filesize
61KB

MD5
d4b2571ff132d56b3087814ae4f3e088

SHA1
67aa190f08202e8d0c51d402314702d14fc4062d

SHA256
944a33ad2dd4e8914ccb4871ebd267ce122cc51acf706445c050d1d11cc8ac4e

SHA512
a0706c3a56bbb7a1952eac3ca2ceac3493f48222131991227f3f41af5742130012792cfb361ffee75295d2bd5bbeb180b147f75649608bfb554ed78eadb38528

Download Submit
C:\Users\Admin\AppData\Local\Temp\Transaction mangement.exe

Filesize
65KB

MD5
e817945c5d3b9200bebaa3d61c82a245

SHA1
d32c648dc2968d1da4c33ed652cb7da196b2cc88

SHA256
c87fd76981fed57f0434abaa606ef299e9c606048409ac2c0ea245cd13a7f340

SHA512
e238c6104ad5a67eef75c30d9af46b438c8ee270e2d8f05ff61a498e2a57ab2a4836e58b9503385606d419268cc15d07248a7be03bba2394f5b98f25ce3fb229

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
702d5fe2603f071f26e7ee52f9e32579

SHA1
9605eaaa45e61c9aee85234367a02d7ea4c1282e

SHA256
91c478bbd358d04b9292060749e46b7e9494d27b6c1234e5bc91e302877ac4a8

SHA512
b2d1e708f8871d1285bd9879a7d0a0e5484d432f45861866e5eb143c1748aade1ad8df6f148c05c5d2e65108dd80911d197460ddc86f2a7588f51e438344856c

Download Submit
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe

Filesize
20KB

MD5
0833bb7c75b35004cd2882c3b073313e

SHA1
ec5792192e5c807c09ca04191ffcd5878bf03ee0

SHA256
02225ef8276a8174280ddfff786103031fd26d64cba25baf0b0a12d47b605994

SHA512
bc30fa9dd7ce0577d6474c6551355d9c4a1f9bdb567d2f210557aeb9a4bea4643640e94f9c00979c9e7d3e9b5859fe2b8c104d10087d597b3ee72efe01b09492

Download Submit
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe

Filesize
31KB

MD5
c28c6e82d41bb2e9af063f544f2782eb

SHA1
c08c1dc02e6a2ce99d4b397143ecf993e18352e7

SHA256
8c35124dda2e23fb1372bafbdd8ee294953855c46f407248e0861d4fc62c671a

SHA512
39cc35d4365279797c072edf1e8601ee7e093d60b1066ed6f228b1170faea51875aaee4a2712c934a8af4cf05391fe131b7c3701c023d704e74d0fa8517d6080

Download Submit
\Users\Admin\AppData\Local\Temp\Transaction mangement.exe

Filesize
30KB

MD5
6af9cad8b3529025d481fe41d4fbd929

SHA1
244d31130085f5b1aad167dfc16d49823ab7a6b2

SHA256
c990a47e433249d325959bdd0bf014c4dd401e9d0b92723c132576d7b9d5c84d

SHA512
14a0774b607bf57a22f834711649ef94293e99b2d56ab237136eb63617796fa60190ff4b251ab9badbec1789ff18d58d4e035fa66eacce74520e2e4ca8860355

Download Submit
\Users\Admin\AppData\Local\Temp\Transaction mangement.exe

Filesize
35KB

MD5
be2c425a380d822584a4ae03a1d3fd8f

SHA1
cb74da86188227a1e6a65b66b66a7c5eb63b7884

SHA256
fd4a85d72bbe4b3633409b56692d7e328791d09d9de9cc56e97d22869f9229fb

SHA512
90fb9e4e42208cc61d988ee526cd47dbb310b3b4649f660c9360996529adbcf7a2b589ec244c3ddfe76e71b858265d6b9c14559098f973674b5e06fd6254158f

Download Submit
\Users\Admin\AppData\Local\Temp\Transaction mangement.exe

Filesize
396KB

MD5
272c30fa011875feb4c5fb2dcbf8a0aa

SHA1
9ef7487569c7afcff5a764b2ed4764ac33f769d2

SHA256
8fa46936a2cd15187ded08c9f01331ec830796604ee3647b31b8f12fc43163f5

SHA512
2b037653fa1c6bf77d5437ae2d32b3908c5defc2e443b214a7f99c243a9523dfd69f84230c0e31d58ab36357cb08c85bc9e09fa87d928ee1ab9ebb9a968f80d9

Download Submit
\Users\Admin\AppData\Local\Temp\Transaction mangement.exe

Filesize
92KB

MD5
b170c4d19c5201866ca9ec0a8e7af6e1

SHA1
dd4de976c9f16475e37ff7126db4f4a335031e7b

SHA256
5dbdabb44712804b8bb9155fba07f239c783a58aab232fe764d3965024ef49f4

SHA512
60248a85162ebf988f489a95f472e233db78f4e8b62ee12864ca87ee0f4ef7a84aa915e89bd4f12a3b7b5876bfa96b3c9508e6eaec78ee7362e6764915efadf3

Download Submit
\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe

Filesize
253KB

MD5
8b6a50e002739317c239d19db1d17ca3

SHA1
ea656c37dc7483a98d6df07af60f24611ab85d9a

SHA256
43dcf403ee45d9aa8a7201d0db07fd407f41b728e27ef09d8f3f89fc987881db

SHA512
593627b3ad5dc7183c5e3a81695cc7ef88e04a0f40f8a50e88b7f9e2bd30c9ed2d334252ca945c94af9e35dc992a07424e0184a94dd66a2e715070280218f0b8

Download Submit
\Windows\SysWOW64\MSDCSC\msdcsc.exe

Filesize
31KB

MD5
068bc90d9f3c40e6f99fb91c8fd70877

SHA1
461d9c44945e04611415dfb9ce004a984842f1d0

SHA256
b4255d8f0fe0720ba67994e557d6c0eecee39dd61626a79f56234adba99d7e6b

SHA512
e7b772a52a102e85d535ba8ede7ee814f29c59a0862d7b7720f9ca367d90c8bb9c8d9a9d95f7be88a2b75cf0f248fb001cd20511518b9204b2eace675560109f

Download Submit
\Windows\SysWOW64\MSDCSC\msdcsc.exe

Filesize
4KB

MD5
b713eb32bbc0ec7cd1407358ffcb3942

SHA1
7c3cab66238dd90fef544bd9707959b0bda73d78

SHA256
72ea848974eb1e07fe68cb226d821434bac3b7031ab2af7efe7bd4c3f45f4036

SHA512
924ab37da3eb3b41fc3ae817305582fb634ee957de8408179da668ba7398d7ee199cb6e258d6372d00325cd8a3e29797f4f7aa0a18e6a70d6fa11e46e8a710b3

Download Submit
\Windows\SysWOW64\MSDCSC\msdcsc.exe

Filesize
32KB

MD5
422a1ecf976b08f4bf99e9a541d646a8

SHA1
b59d3321da5b34d2092c820870b974892690282c

SHA256
738a0b26b4ee27c7367984b665ca586377316d2a4f2edca96eadfe92d52e484c

SHA512
6fd23bdb7f851df3fa2723a071c2a3a3be51f329b1cf14df9afcbaf7bc768a2bd9d73faa5e355e0263f60e9c8d66db192fe7f05fd781689e43b3b3fc39a80c7c

Download Submit
memory/2596-46-0x0000000000400000-0x000000000062F000-memory.dmp

Filesize
2.2MB

Download
memory/2596-21-0x0000000000400000-0x000000000062F000-memory.dmp

Filesize
2.2MB

Download
memory/2596-52-0x0000000000400000-0x000000000062F000-memory.dmp

Filesize
2.2MB

Download
memory/2596-47-0x0000000000400000-0x000000000062F000-memory.dmp

Filesize
2.2MB

Download
memory/2596-41-0x0000000000400000-0x000000000062F000-memory.dmp

Filesize
2.2MB

Download
memory/2596-37-0x0000000000400000-0x000000000062F000-memory.dmp

Filesize
2.2MB

Download
memory/2596-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2596-31-0x0000000000400000-0x000000000062F000-memory.dmp

Filesize
2.2MB

Download
memory/2596-27-0x0000000000400000-0x000000000062F000-memory.dmp

Filesize
2.2MB

Download
memory/2596-19-0x0000000000400000-0x000000000062F000-memory.dmp

Filesize
2.2MB

Download
memory/2596-39-0x0000000000400000-0x000000000062F000-memory.dmp

Filesize
2.2MB

Download
memory/2596-99-0x0000000000400000-0x000000000062F000-memory.dmp

Filesize
2.2MB

Download
memory/2596-33-0x0000000000400000-0x000000000062F000-memory.dmp

Filesize
2.2MB

Download
memory/2596-29-0x0000000000400000-0x000000000062F000-memory.dmp

Filesize
2.2MB

Download
memory/2596-25-0x0000000000400000-0x000000000062F000-memory.dmp

Filesize
2.2MB

Download
memory/2596-23-0x0000000000400000-0x000000000062F000-memory.dmp

Filesize
2.2MB

Download
memory/2884-40-0x00000000741D0000-0x000000007477B000-memory.dmp

Filesize
5.7MB

Download
memory/2884-14-0x00000000741D0000-0x000000007477B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads